CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
AI Score
Confidence
Low
EPSS
Percentile
87.8%
Debian Security Advisory DSA-2903-1 [email protected]
http://www.debian.org/security/ Yves-Alexis Perez
April 14, 2014 http://www.debian.org/security/faq
Package : strongswan
CVE ID : CVE-2014-2338
An authentication bypass vulnerability was found in charon, the daemon
handling IKEv2 in strongSwan, an IKE/IPsec suite. The state machine
handling the security association (IKE_SA) handled some state transitions
incorrectly.
An attacker can trigger the vulnerability by rekeying an unestablished
IKE_SA during the initiation itself. This will trick the IKE_SA state to
'established' without the need to provide any valid credential.
Vulnerable setups include those actively initiating IKEv2 IKE_SA (like
โclientsโ or โroadwarriorsโ) but also during re-authentication (which
can be initiated by the responder). Installations using IKEv1 (pluto
daemon in strongSwan 4 and earlier, and IKEv1 code in charon 5.x) is not
affected.
For the oldstable distribution (squeeze), this problem has been fixed in
version 4.4.1-5.5.
For the stable distribution (wheezy), this problem has been fixed in
version 4.5.2-1.5+deb7u3.
For the unstable distribution (sid), this problem has been fixed in
version 5.1.2-4.
We recommend that you upgrade your strongswan packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: [email protected]
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 6 | mips | strongswan-dbg | <ย 4.4.1-5.5 | strongswan-dbg_4.4.1-5.5_mips.deb |
Debian | 6 | i386 | strongswan-starter | <ย 4.4.1-5.5 | strongswan-starter_4.4.1-5.5_i386.deb |
Debian | 7 | amd64 | strongswan-ikev2 | <ย 4.5.2-1.5+deb7u3 | strongswan-ikev2_4.5.2-1.5+deb7u3_amd64.deb |
Debian | 7 | mips | strongswan-dbg | <ย 4.5.2-1.5+deb7u3 | strongswan-dbg_4.5.2-1.5+deb7u3_mips.deb |
Debian | 6 | amd64 | strongswan-nm | <ย 4.4.1-5.5 | strongswan-nm_4.4.1-5.5_amd64.deb |
Debian | 6 | amd64 | strongswan-ikev2 | <ย 4.4.1-5.5 | strongswan-ikev2_4.4.1-5.5_amd64.deb |
Debian | 7 | sparc | libstrongswan | <ย 4.5.2-1.5+deb7u3 | libstrongswan_4.5.2-1.5+deb7u3_sparc.deb |
Debian | 6 | armel | strongswan-ikev1 | <ย 4.4.1-5.5 | strongswan-ikev1_4.4.1-5.5_armel.deb |
Debian | 7 | s390 | libstrongswan | <ย 4.5.2-1.5+deb7u3 | libstrongswan_4.5.2-1.5+deb7u3_s390.deb |
Debian | 7 | mipsel | libstrongswan | <ย 4.5.2-1.5+deb7u3 | libstrongswan_4.5.2-1.5+deb7u3_mipsel.deb |