Openswan XAUTH remote overflow and Command Injection Vulnerabilities

Release date:
Updated on: 2010-09-30

Affected Systems:
Openswan 2.6.x
Unaffected system:
Openswan 2.6.29
Description:
--------------------------------------------------------------------------------
Bugtraq id: 43588
Cve id: CVE-2010-3302, CVE-2010-3308

Openswan is an IPSEC implementation in Linux based on the FreeS/WAN project.

Openswan XAUTH Cisco processing code has multiple security vulnerabilities. When openswan is connected to a malicious gateway, cisco_dns_info and cisco_domain_info are declared as fixed-length buffers. If enough DNS load is sent in a single message, the buffer overflow occurs. In addition, malicious characters in these fields are copied to fmt_common_shell_out () without being filtered, malicious commands may be injected.

<* Source: D. Hugh Redelmeier (hugh@mimosa.com)
Paul@xelerance.com (Paul Wouters)

Link: http://www.openswan.org/download/CVE-2010-3302/CVE-2010-3302.txt
Http://www.openswan.org/download/CVE-2010-3308/CVE-2010-3308.txt
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Openswan
--------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.openswan.org/download/openswan-2.6.29.tar.gz
Http://www.openswan.org/download/openswan-2.6.29.tar.gz.asc