strongSwan OpenSSL插件身份验证绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1168052 漏洞类型 授权问题
发布时间 2013-04-30 更新时间 2013-09-03
CVE编号 CVE-2013-2944 CNNVD-ID CNNVD-201305-022
漏洞平台 N/A CVSS评分 4.9
|漏洞来源
https://www.securityfocus.com/bid/59580
https://cxsecurity.com/issue/WLB-2013040210
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201305-022
|漏洞详情
strongSwan是瑞士软件开发者AndreasSteffen所维护的一套Linux平台使用的开源的基于IPsec的VPN解决方案。该方案包含X.509公开密钥证书、安全储存私钥、智能卡等认证机制。strongSwan4.3.5至5.0.3版本中存在漏洞。当ECDSA签名验证使用OpenSSL插件时,远程攻击者可通过非法的签名利用该漏洞作为其他用户进行身份验证。
|漏洞EXP
We just released strongSwan 5.0.4, which fixes a security vulnerability
(CVE-2013-2944) that exists in all versions since 4.3.5 and up to 5.0.3.

If the strongSwan "openssl" plugin is used for ECDSA signature
verification, an empty, zeroed or otherwise invalid signature is handled
as a legitimate one.

Affected are only installations that have enabled and loaded the OpenSSL
crypto backend (--enable-openssl).  Builds using the default crypto
backends are not affected.

While this new ECDSA vulnerability is very similar to the RSA signature
vulnerability CVE-2012-2388, it is not directly related.

A connection definition using ECDSA authentication is required to
exploit this vulnerability.  Given that, an attacker presenting a forged
signature and/or certificate can authenticate as any legitimate user.
Injecting code is not possible by such an attack.

The patch at [1] fixes the vulnerability and should apply to all
affected versions.  strongSwan 5.0.4 includes the fix and other minor
changes and can be downloaded from [2].

This vulnerability was discovered by Kevin Wojtysiak, an independent
Security Consultant.  We want to express our thanks to Kevin for
notifying us in advance about this critical security issue.

The above information can also be found in our blog entry at [3].

Our apologies for having such a serious vulnerability in the strongSwan
codebase.

Kind Regards,
Tobias

[1] http://download.strongswan.org/patches/10_openssl_ecdsa_signature_patch/
[2] http://www.strongswan.org/download.html
[3] http://www.strongswan.org/strongswan-5.0.4-released-(cve-2013-2944).html
|受影响的产品
strongSwan strongSwan 4.4.1 strongSwan strongSwan 4.4 strongSwan strongSwan 4.3.7 strongSwan strongSwan 4.3.6 strongSwan strongSwan 4.3.5 Gentoo Linux D
|参考资料

来源:www.strongswan.org
链接:http://www.strongswan.org/blog/2013/04/30/strongswan-5.0.4-released-(cve-2013-2944).html
来源:BID
名称:59580
链接:http://www.securityfocus.com/bid/59580
来源:DEBIAN
名称:DSA-2665
链接:http://www.debian.org/security/2013/dsa-2665
来源:download.strongswan.org
链接:http://download.strongswan.org/patches/10_openssl_ecdsa_signature_patch/strongswan-4.3.5-5.0.3_openssl_ecdsa_signature.patch
来源:SECUNIA
名称:53224
链接:http://secunia.com/advisories/53224
来源:SECUNIA
名称:53231
链接:http://secunia.com/advisories/53231