Details of VAR-201411-0042

ID

VAR-201411-0042

CVE

CVE-2014-2037

TITLE

Openswan IKEv2 Payloads Incomplete Fix Remote Denial of Service Vulnerability

Trust: 0.9

sources: CNVD: CNVD-2014-01142 // BID: 65629

DESCRIPTION

Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466. Openswan is a VPN implemented using ipsec technology. Openswan is prone to a remote denial-of-service vulnerability. Openswan 2.6.40 and prior are vulnerable

Trust: 2.43

sources: NVD: CVE-2014-2037 // JVNDB: JVNDB-2014-005646 // CNVD: CNVD-2014-01142 // BID: 65629

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-01142

AFFECTED PRODUCTS

vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.40	Trust: 1.4
vendor:	xelerance	model:	openswan	scope:	eq	version:	2.6.40	Trust: 1.0
vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.25/2.6.26/2.6.27/2.6.28	Trust: 0.6
vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.29-2.6.37	Trust: 0.6
vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.37	Trust: 0.3
vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.22	Trust: 0.3
vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.21	Trust: 0.3
vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.20	Trust: 0.3
vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.16	Trust: 0.3
vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.36	Trust: 0.3
vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.35	Trust: 0.3
vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.33	Trust: 0.3
vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.29	Trust: 0.3
vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.28	Trust: 0.3
vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.27	Trust: 0.3
vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.26	Trust: 0.3
vendor:	openswan	model:	openswan	scope:	eq	version:	2.6.25	Trust: 0.3
vendor:	gentoo	model:	linux	scope:	-	version:	-	Trust: 0.3

sources: CNVD: CNVD-2014-01142 // BID: 65629 // JVNDB: JVNDB-2014-005646 // CNNVD: CNNVD-201411-450 // NVD: CVE-2014-2037

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-2037
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-2037
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-01142
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201411-450
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2014-2037
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-01142
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2014-01142 // JVNDB: JVNDB-2014-005646 // CNNVD: CNNVD-201411-450 // NVD: CVE-2014-2037

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2014-005646 // NVD: CVE-2014-2037

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-450

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201411-450

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005646

PATCH

title:	Openswan 2.6.41 released	url:	https://lists.openswan.org/pipermail/users/2014-February/022898.html	Trust: 0.8
title:	Openswan IKEv2 Payloads Incomplete Fix Remote Denial of Service Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/43764	Trust: 0.6
title:	openswan-2.6.41	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=52570	Trust: 0.6

sources: CNVD: CNVD-2014-01142 // JVNDB: JVNDB-2014-005646 // CNNVD: CNNVD-201411-450

EXTERNAL IDS

db:	NVD	id:	CVE-2014-2037	Trust: 3.3
db:	BID	id:	65629	Trust: 2.5
db:	OPENWALL	id:	OSS-SECURITY/2014/02/18/1	Trust: 1.6
db:	OPENWALL	id:	OSS-SECURITY/2014/02/20/2	Trust: 1.6
db:	JVNDB	id:	JVNDB-2014-005646	Trust: 0.8
db:	CNVD	id:	CNVD-2014-01142	Trust: 0.6
db:	CNNVD	id:	CNNVD-201411-450	Trust: 0.6

sources: CNVD: CNVD-2014-01142 // BID: 65629 // JVNDB: JVNDB-2014-005646 // CNNVD: CNNVD-201411-450 // NVD: CVE-2014-2037

REFERENCES

url:	http://www.securityfocus.com/bid/65629	Trust: 2.2
url:	http://www.openwall.com/lists/oss-security/2014/02/20/2	Trust: 1.6
url:	https://lists.openswan.org/pipermail/users/2014-february/022898.html	Trust: 1.6
url:	http://www.openwall.com/lists/oss-security/2014/02/18/1	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2037	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2037	Trust: 0.8

sources: CNVD: CNVD-2014-01142 // JVNDB: JVNDB-2014-005646 // CNNVD: CNNVD-201411-450 // NVD: CVE-2014-2037

CREDITS

Paul Wouters

Trust: 0.9

sources: BID: 65629 // CNNVD: CNNVD-201411-450

SOURCES

db:	CNVD	id:	CNVD-2014-01142
db:	BID	id:	65629
db:	JVNDB	id:	JVNDB-2014-005646
db:	CNNVD	id:	CNNVD-201411-450
db:	NVD	id:	CVE-2014-2037

LAST UPDATE DATE

2024-11-23T23:09:21.425000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-01142	date:	2014-02-24T00:00:00
db:	BID	id:	65629	date:	2014-11-25T00:55:00
db:	JVNDB	id:	JVNDB-2014-005646	date:	2014-11-27T00:00:00
db:	CNNVD	id:	CNNVD-201411-450	date:	2019-07-30T00:00:00
db:	NVD	id:	CVE-2014-2037	date:	2024-11-21T02:05:30.630

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-01142	date:	2014-02-21T00:00:00
db:	BID	id:	65629	date:	2014-02-18T00:00:00
db:	JVNDB	id:	JVNDB-2014-005646	date:	2014-11-27T00:00:00
db:	CNNVD	id:	CNNVD-201411-450	date:	2014-02-18T00:00:00
db:	NVD	id:	CVE-2014-2037	date:	2014-11-26T15:59:00.090