#VU27710 Insufficient verification of data authenticity in openswan.org products - CVE-2019-10155
Published: May 12, 2020
Vulnerability identifier: #VU27710
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-10155
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
libreswan
strongSwan
Openswan
libreswan
strongSwan
Openswan
Software vendor:
libreswan.org
strongswan.org
openswan.org
libreswan.org
strongswan.org
openswan.org
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the application does not verify origin for IKEv1 informational exchange packets. A remote attacker can craft packets and make the application believe they were sent by the original user.
Successful exploitation of the vulnerability may allow an attacker to gain access to sensitive information and use this issue combined with other vulnerabilities to decrypt data.Remediation
Install updates from vendor's website.
External links
- https://access.redhat.com/errata/RHSA-2019:3391
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10155
- https://libreswan.org/security/CVE-2019-10155/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EUEXFCN7FAYBKJBQJLYCEUQUCHDEJRZW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LFGPGLLKAXSLWFI62A6BZHTZSCHRCBXS/