Bug 7095 - openswan missing update for several security issues
: openswan missing update for several security issues
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
:
: MGA1TOO has_procedure mga2-32-OK mga2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-17 18:58 CEST by David Walser
Modified: 2012-10-20 17:29 CEST (History)
6 users (show)

See Also:
Source RPM: openswan-2.6.28-2.mga1.src.rpm
CVE:


Attachments
openswan-cve-2010-3302-3308.patch (9.50 KB, patch)
2012-08-17 19:52 CEST, David Walser
Details | Diff
openswan-cve-2011-4073.patch (4.00 KB, patch)
2012-08-17 19:52 CEST, David Walser
Details | Diff

Description David Walser 2012-08-17 18:58:34 CEST
RedHat has issued an advisory on November 16, 2010:
https://rhn.redhat.com/errata/RHSA-2010-0892.html

This fixes the following CVEs:
CVE-2010-3308 and CVE-2010-3302 (fixed in 2.6.29)
CVE-2010-3752 and CVE-2010-3753 (presumably fixed in 2.6.29)

RedHat has issued an advisory on November 2, 2011:
http://rhn.redhat.com/errata/RHSA-2011-1422.html

This fixes the following CVE:
CVE-2011-4073 (fixed in 2.6.37)

There may be other issues that I missed.

Mageia 1 and Mageia 2 are also affected.

CVE links:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3302
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4073
Comment 1 David Walser 2012-08-17 19:51:21 CEST
Those look like the only ones.  The patch for CVE-2011-4073 applies cleanly.

The patch for the other issues needs to be re-diffed.
Comment 2 David Walser 2012-08-17 19:52:20 CEST
Created attachment 2653 [details]
openswan-cve-2010-3302-3308.patch

RedHat patch to fix the first 4 issues, needs re-diffed.
Comment 3 David Walser 2012-08-17 19:52:52 CEST
Created attachment 2654 [details]
openswan-cve-2011-4073.patch

RedHat patch for CVE-2011-4073
Comment 4 David Walser 2012-10-15 16:36:38 CEST
Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated openswan packages fix security vulnerabilities:

Two buffer overflow flaws were found in the Openswan client-side XAUTH
handling code used when connecting to certain Cisco gateways. A malicious
or compromised VPN gateway could use these flaws to execute arbitrary code
on the connecting Openswan client (CVE-2010-3302, CVE-2010-3308).

Two input sanitization flaws were found in the Openswan client-side
handling of Cisco gateway banners. A malicious or compromised VPN gateway
could use these flaws to execute arbitrary code on the connecting Openswan
client (CVE-2010-3752, CVE-2010-3753).

A use-after-free flaw was found in the way Openswan's pluto IKE daemon used
cryptographic helpers. A remote, authenticated attacker could send a
specially-crafted IKE packet that would crash the pluto daemon. This issue
only affected SMP (symmetric multiprocessing) systems that have the
cryptographic helpers enabled (CVE-2011-4073).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3302
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4073
https://rhn.redhat.com/errata/RHSA-2010-0892.html
http://rhn.redhat.com/errata/RHSA-2011-1422.html
========================

Updated packages in core/updates_testing:
========================
openswan-2.6.28-2.1.mga1
openswan-doc-2.6.28-2.1.mga1
openswan-2.6.28-2.1.mga2
openswan-doc-2.6.28-2.1.mga2

from SRPMS:
openswan-2.6.28-2.1.mga1.src.rpm
openswan-2.6.28-2.1.mga2.src.rpm
Comment 5 Dave Hodgins 2012-10-16 02:02:50 CEST
No poc, so I'll be testing this following 
http://www.scribd.com/doc/15585156/Openswan-Installation-and-Configuration-Tutorial
Comment 6 Dave Hodgins 2012-10-16 03:17:08 CEST
Found another tutorial that looks a bit easier to follow at
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3845966/Build-an-IPSEC-VPN-Without-Losing-Your-Mind.htm
Comment 7 claire robinson 2012-10-18 11:57:10 CEST
Just testing the ipsec service starts and stops without error.

# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.6.28...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY

# service ipsec status
IPsec running  - pluto pid: 9504
pluto pid 9504
No tunnels up

# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...

# service ipsec status
IPsec stopped

Testing complete mga2 32
Comment 8 claire robinson 2012-10-18 12:38:01 CEST
On mga2 64..

# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.6.28...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY

I have to use ctrl-c to interrupt it as it just sits as if it's waiting for something which never arrives. Not a regression though and could be due to lack of proper configuration.

# service ipsec status
IPsec running  - pluto pid: 12171
pluto pid 12171
No tunnels up

Shows it is actually starting.

# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...

# service ipsec status
IPsec stopped

I don't see any different messages in syslog between 32 bit and 64 bit but 32bit does start without having to use ctrl-c with the default configuration.

I guess testing complete mga2 64 unless there is an obvious reason for this?
Comment 9 Dave Hodgins 2012-10-18 20:11:30 CEST
The long wait is due to the key generation process reading from
/dev/random, rather then /dev/urandom.  To provide the random data, you
either have to wait for the normal interrupts to provide enough, or open
an editor, and start typing.  Note the key generation is only done once.

Testing complete Mageia 1 i586 and x86-64.

Could someone from the sysadmin team push the srpm
openswan-2.6.28-2.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core updates and the srpm
openswan-2.6.28-2.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated openswan packages fix security vulnerabilities:

Two buffer overflow flaws were found in the Openswan client-side XAUTH
handling code used when connecting to certain Cisco gateways. A malicious
or compromised VPN gateway could use these flaws to execute arbitrary code
on the connecting Openswan client (CVE-2010-3302, CVE-2010-3308).

Two input sanitization flaws were found in the Openswan client-side
handling of Cisco gateway banners. A malicious or compromised VPN gateway
could use these flaws to execute arbitrary code on the connecting Openswan
client (CVE-2010-3752, CVE-2010-3753).

A use-after-free flaw was found in the way Openswan's pluto IKE daemon used
cryptographic helpers. A remote, authenticated attacker could send a
specially-crafted IKE packet that would crash the pluto daemon. This issue
only affected SMP (symmetric multiprocessing) systems that have the
cryptographic helpers enabled (CVE-2011-4073).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3302
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4073
https://rhn.redhat.com/errata/RHSA-2010-0892.html
http://rhn.redhat.com/errata/RHSA-2011-1422.html

https://bugs.mageia.org/show_bug.cgi?id=7095
Comment 10 Thomas Backlund 2012-10-20 17:29:37 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0300

Note You need to log in before you can comment on or make changes to this bug.