CVE-2009-2661
First published: Tue Aug 04 2009(Updated: )
The asn1_length function in strongSwan 2.8 before 2.8.11, 4.2 before 4.2.17, and 4.3 before 4.3.3 does not properly handle X.509 certificates with crafted Relative Distinguished Names (RDNs), which allows remote attackers to cause a denial of service (pluto IKE daemon crash) via malformed ASN.1 data. NOTE: this is due to an incomplete fix for CVE-2009-2185.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| strongSwan | =2.8.0 | |
| strongSwan | =2.8.1 | |
| strongSwan | =4.2.12 | |
| strongSwan | =4.2.10 | |
| strongSwan | =2.8.8 | |
| strongSwan | =2.8.4 | |
| strongSwan | =4.2.16 | |
| strongSwan | =4.2.14 | |
| strongSwan | =2.8.3 | |
| strongSwan | =4.2.3 | |
| strongSwan | =4.3.2 | |
| strongSwan | =4.2.0 | |
| strongSwan | =4.2.1 | |
| strongSwan | =2.8.7 | |
| strongSwan | =4.2.13 | |
| strongSwan | =4.3.0 | |
| strongSwan | =2.8.6 | |
| strongSwan | =4.2.11 | |
| strongSwan | =2.8.10 | |
| strongSwan | =4.2.2 | |
| strongSwan | =4.3.1 | |
| strongSwan | =4.2.15 | |
| strongSwan | =2.8.5 | |
| strongSwan | =2.8.2 |
Remedy
http://download.strongswan.org/patches/07_asn1_length_patch/strongswan-4.x.x_asn1_length.patch
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2009/07/27/1
- https://lists.strongswan.org/pipermail/announce/2009-July/000056.html
- http://download.strongswan.org/patches/07_asn1_length_patch/strongswan-4.x.x_asn1_length.patch
- http://download.strongswan.org/patches/07_asn1_length_patch/strongswan-4.3.x_asn1_length.patch
- http://www.vupen.com/english/advisories/2009/2247
- http://up2date.astaro.com/2009/08/up2date_7505_released.html
- http://secunia.com/advisories/36922
- http://www.debian.org/security/2009/dsa-1899
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html
Frequently Asked Questions
What is the severity of CVE-2009-2661?
CVE-2009-2661 is classified as a denial of service vulnerability affecting specific versions of strongSwan.
How do I fix CVE-2009-2661?
To address CVE-2009-2661, you should upgrade to strongSwan version 2.8.11, 4.2.17, or 4.3.3 or later.
What software versions are affected by CVE-2009-2661?
CVE-2009-2661 affects strongSwan versions 2.8.0 to 2.8.10 and 4.2.0 to 4.2.16.
What impact does CVE-2009-2661 have on systems?
CVE-2009-2661 allows attackers to crash the pluto IKE daemon, resulting in a denial of service.
Is CVE-2009-2661 a remotely exploitable vulnerability?
Yes, CVE-2009-2661 can be exploited remotely by sending crafted ASN.1 data to the affected strongSwan versions.
- agent/references
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/strongswan
- canonical/strongswan
- version/strongswan/2.8.0
- version/strongswan/2.8.1
- version/strongswan/4.2.12
- version/strongswan/4.2.10
- version/strongswan/2.8.8
- version/strongswan/2.8.4
- version/strongswan/4.2.16
- version/strongswan/4.2.14
- version/strongswan/2.8.3
- version/strongswan/4.2.3
- version/strongswan/4.3.2
- version/strongswan/4.2.0
- version/strongswan/4.2.1
- version/strongswan/2.8.7
- version/strongswan/4.2.13
- version/strongswan/4.3.0
- version/strongswan/2.8.6
- version/strongswan/4.2.11
- version/strongswan/2.8.10
- version/strongswan/4.2.2
- version/strongswan/4.3.1
- version/strongswan/4.2.15
- version/strongswan/2.8.5
- version/strongswan/2.8.2