#VU41717 Input validation error in strongSwan - CVE-2014-2891
Published: May 7, 2014 / Updated: April 29, 2022
Vulnerability identifier: #VU41717
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2014-2891
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
strongSwan
strongSwan
Software vendor:
strongswan.org
strongswan.org
Description
The vulnerability allows remote attackers to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (NULL pointer dereference and IKE daemon crash) via a crafted ID_DER_ASN1_DN ID payload. Per: http://www.strongswan.org/blog/2014/05/05/strongswan-denial-of-service-vulnerability-%28cve-2014-2891%29.html "Based on a crash report from one of our users we found that strongSwan versions before 5.1.2 are susceptible to a DoS vulnerability. Affected are strongSwan versions 4.3.3 and newer, up to 5.1.1.
Remediation
Install update from vendor's website.
External links
- http://lists.opensuse.org/opensuse-updates/2014-05/msg00064.html
- http://lists.opensuse.org/opensuse-updates/2014-05/msg00066.html
- http://secunia.com/advisories/59864
- http://www.debian.org/security/2014/dsa-2922
- http://www.securityfocus.com/bid/67212
- http://www.strongswan.org/blog/2014/05/05/strongswan-denial-of-service-vulnerability-(cve-2014-2891).html