ID

VAR-202110-1670


CVE

CVE-2021-41991


TITLE

strongSwan  Integer overflow vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-007493

DESCRIPTION

The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. The code attempts to select a less-often-used cache entry by means of a random number generator, but this is not done correctly. Remote code execution might be a slight possibility. strongSwan Exists in an integer overflow vulnerability.Denial of service (DoS) It may be put into a state. ========================================================================== Ubuntu Security Notice USN-5111-1 October 19, 2021 strongswan vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.10 - Ubuntu 21.04 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in strongSwan. Software Description: - strongswan: IPsec VPN solution Details: It was discovered that strongSwan incorrectly handled certain RSASSA-PSS signatures. A remote attacker could use this issue to cause strongSwan to crash, resulting in a denial of service. (CVE-2021-41990) It was discovered that strongSwan incorrectly handled replacing certificates in the cache. A remote attacker could use this issue to cause strongSwan to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-41991) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10: libstrongswan 5.9.1-1ubuntu3.1 strongswan 5.9.1-1ubuntu3.1 Ubuntu 21.04: libstrongswan 5.9.1-1ubuntu1.2 strongswan 5.9.1-1ubuntu1.2 Ubuntu 20.04 LTS: libstrongswan 5.8.2-1ubuntu3.3 strongswan 5.8.2-1ubuntu3.3 Ubuntu 18.04 LTS: libstrongswan 5.6.2-1ubuntu2.7 strongswan 5.6.2-1ubuntu2.7 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5111-1 CVE-2021-41990, CVE-2021-41991 Package Information: https://launchpad.net/ubuntu/+source/strongswan/5.9.1-1ubuntu3.1 https://launchpad.net/ubuntu/+source/strongswan/5.9.1-1ubuntu1.2 https://launchpad.net/ubuntu/+source/strongswan/5.8.2-1ubuntu3.3 https://launchpad.net/ubuntu/+source/strongswan/5.6.2-1ubuntu2.7 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4989-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez October 18, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : strongswan CVE ID : CVE-2021-41990 CVE-2021-41991 Researchers at the United States of America National Security Agency (NSA) identified two denial of services vulnerability in strongSwan, an IKE/IPsec suite. CVE-2021-41990 RSASSA-PSS signatures whose parameters define a very high salt length can trigger an integer overflow that can lead to a segmentation fault. Generating a signature that bypasses the padding check to trigger the crash requires access to the private key that signed the certificate. However, the certificate does not have to be trusted. Because the gmp and the openssl plugins both check if a parsed certificate is self-signed (and the signature is valid), this can e.g. be triggered by an unrelated self-signed CA certificate sent by an initiator. Depending on the generated random value, this could lead to an integer overflow that results in a double-dereference and a call using out-of-bounds memory that most likely leads to a segmentation fault. Remote code execution can't be ruled out completely, but attackers have no control over the dereferenced memory, so it seems unlikely at this point. For the oldstable distribution (buster), these problems have been fixed in version 5.7.2-1+deb10u1. For the stable distribution (bullseye), these problems have been fixed in version 5.9.1-1+deb11u1. We recommend that you upgrade your strongswan packages. For the detailed security status of strongswan please refer to its security tracker page at: https://security-tracker.debian.org/tracker/strongswan Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmFtyAUACgkQ3rYcyPpX RFudiwf+NNcRRRJychLI5ycMKVxkr2tEAJDeVZjv966YBM1tXnCtROydXf5Zip2M dn/EYO71uuT5FKhs8tJyx5iv2bFcrvyqQQo6DFQvXZHR0+9U+MHcR9qB7JJDM4nK +JXOEmAv3akCFhiP6jMx5B6jRWR1e4MOwxmgrgGu/nwy2cYBQPI43qPTrXi3Fcnv eSgeyLqyZNLmaGmj8jQfTnc8bdVF5xAs6mHhVqNJxQCdouG9b4/S6AxJsl3IMxyF WZhtCNUvhHH8wz0lZVElR3Qs6fUu0phKdlT9kBv/o6fP3ceiYOCEh8SqBgYU3hQL xyB0uP4EcSR70TvKZMB2jV/tGG1A8w== =/Xvi -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202405-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: strongSwan: Multiple Vulnerabilities Date: May 04, 2024 Bugs: #818841, #832460, #878887, #899964 ID: 202405-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been discovered in strongSwan, the worst of which could possibly lead to remote code execution. Background ========= strongSwan is an IPSec implementation for Linux. Affected packages ================ Package Vulnerable Unaffected ------------------ ------------ ------------ net-vpn/strongswan < 5.9.10 >= 5.9.10 Description ========== Multiple vulnerabilities have been discovered in strongSwan. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All strongSwan users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-vpn/strongswan-5.9.10" References ========= [ 1 ] CVE-2021-41991 https://nvd.nist.gov/vuln/detail/CVE-2021-41991 [ 2 ] CVE-2021-45079 https://nvd.nist.gov/vuln/detail/CVE-2021-45079 [ 3 ] CVE-2022-40617 https://nvd.nist.gov/vuln/detail/CVE-2022-40617 [ 4 ] CVE-2023-26463 https://nvd.nist.gov/vuln/detail/CVE-2023-26463 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202405-08 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 2.16

sources: NVD: CVE-2021-41991 // JVNDB: JVNDB-2021-007493 // VULHUB: VHN-403107 // VULMON: CVE-2021-41991 // PACKETSTORM: 164558 // PACKETSTORM: 164554 // PACKETSTORM: 169143 // PACKETSTORM: 178454

AFFECTED PRODUCTS

vendor:siemensmodel:scalance sc632-2cscope:eqversion: -

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:34

Trust: 1.0

vendor:siemensmodel:siplus s7-1200 cp 1243-1scope:eqversion: -

Trust: 1.0

vendor:siemensmodel:scalance sc642-2cscope:eqversion: -

Trust: 1.0

vendor:strongswanmodel:strongswanscope:ltversion:5.9.4

Trust: 1.0

vendor:siemensmodel:simatic net cp 1545-1scope:eqversion: -

Trust: 1.0

vendor:siemensmodel:simatic cp 1542sp-1 ircscope:eqversion: -

Trust: 1.0

vendor:strongswanmodel:strongswanscope:gteversion:4.2.10

Trust: 1.0

vendor:siemensmodel:simatic cp 1242-7 gprs v2scope:eqversion: -

Trust: 1.0

vendor:siemensmodel:scalance sc636-2cscope:eqversion: -

Trust: 1.0

vendor:siemensmodel:simatic net cp1243-7 lte euscope:eqversion: -

Trust: 1.0

vendor:siemensmodel:scalance sc622-2cscope:eqversion: -

Trust: 1.0

vendor:siemensmodel:sinema remote connect serverscope:eqversion: -

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:33

Trust: 1.0

vendor:siemensmodel:siplus et 200sp cp 1543sp-1 isec tx railscope:eqversion: -

Trust: 1.0

vendor:siemensmodel:siplus et 200sp cp 1543sp-1 isecscope:eqversion: -

Trust: 1.0

vendor:siemensmodel:siplus et 200sp cp 1542sp-1 irc tx railscope:eqversion: -

Trust: 1.0

vendor:siemensmodel:siplus s7-1200 cp 1243-1 railscope:eqversion: -

Trust: 1.0

vendor:siemensmodel:cp 1543-1scope:eqversion: -

Trust: 1.0

vendor:siemensmodel:simatic cp 1543sp-1scope:eqversion: -

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:10.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:35

Trust: 1.0

vendor:siemensmodel:simatic cp 1243-7 lte\/usscope:eqversion: -

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:11.0

Trust: 1.0

vendor:siemensmodel:simatic cp 1542sp-1scope:eqversion: -

Trust: 1.0

vendor:siemensmodel:simatic net cp 1243-8 ircscope:eqversion: -

Trust: 1.0

vendor:siemensmodel:simatic cp 1243-1scope:eqversion: -

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:siemensmodel:scalance sc646-2cscope:ltversion:2.3

Trust: 1.0

vendor:siemensmodel:siplus net cp 1543-1scope:eqversion: -

Trust: 1.0

vendor:fedoramodel:fedorascope: - version: -

Trust: 0.8

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:strongswanmodel:strongswanscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-007493 // NVD: CVE-2021-41991

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-41991
value: HIGH

Trust: 1.0

NVD: CVE-2021-41991
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202110-1214
value: HIGH

Trust: 0.6

VULHUB: VHN-403107
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-41991
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-41991
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-403107
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-41991
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2021-41991
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-403107 // VULMON: CVE-2021-41991 // JVNDB: JVNDB-2021-007493 // CNNVD: CNNVD-202110-1214 // NVD: CVE-2021-41991

PROBLEMTYPE DATA

problemtype:CWE-190

Trust: 1.1

problemtype:Integer overflow or wraparound (CWE-190) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-403107 // JVNDB: JVNDB-2021-007493 // NVD: CVE-2021-41991

THREAT TYPE

remote

Trust: 0.9

sources: PACKETSTORM: 164558 // PACKETSTORM: 164554 // PACKETSTORM: 178454 // CNNVD: CNNVD-202110-1214

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202110-1214

PATCH

title:strongSwan Vulnerability (CVE-2021-41991)url:https://lists.debian.org/debian-lts-announce/2021/10/msg00014.html

Trust: 0.8

title:strongSwan Enter the fix for the verification error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=166640

Trust: 0.6

title:Debian Security Advisories: DSA-4989-1 strongswan -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=35fdad388753f5d88f528a33acdb09b3

Trust: 0.1

title:Red Hat: CVE-2021-41991url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2021-41991

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2021-41991 log

Trust: 0.1

sources: VULMON: CVE-2021-41991 // JVNDB: JVNDB-2021-007493 // CNNVD: CNNVD-202110-1214

EXTERNAL IDS

db:NVDid:CVE-2021-41991

Trust: 3.8

db:SIEMENSid:SSA-539476

Trust: 1.7

db:JVNid:JVNVU98748974

Trust: 0.8

db:JVNDBid:JVNDB-2021-007493

Trust: 0.8

db:PACKETSTORMid:164558

Trust: 0.7

db:PACKETSTORMid:164554

Trust: 0.7

db:CS-HELPid:SB2021101947

Trust: 0.6

db:AUSCERTid:ESB-2021.3463

Trust: 0.6

db:AUSCERTid:ESB-2021.3488

Trust: 0.6

db:CNNVDid:CNNVD-202110-1214

Trust: 0.6

db:VULHUBid:VHN-403107

Trust: 0.1

db:VULMONid:CVE-2021-41991

Trust: 0.1

db:PACKETSTORMid:169143

Trust: 0.1

db:PACKETSTORMid:178454

Trust: 0.1

sources: VULHUB: VHN-403107 // VULMON: CVE-2021-41991 // JVNDB: JVNDB-2021-007493 // PACKETSTORM: 164558 // PACKETSTORM: 164554 // PACKETSTORM: 169143 // PACKETSTORM: 178454 // CNNVD: CNNVD-202110-1214 // NVD: CVE-2021-41991

REFERENCES

url:https://www.debian.org/security/2021/dsa-4989

Trust: 1.9

url:https://github.com/strongswan/strongswan/releases/tag/5.9.4

Trust: 1.8

url:https://lists.debian.org/debian-lts-announce/2021/10/msg00014.html

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-41991

Trust: 1.8

url:https://cert-portal.siemens.com/productcert/pdf/ssa-539476.pdf

Trust: 1.7

url:https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-%28cve-2021-41991%29.html

Trust: 1.1

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5fjsatd2r2xhtg4p63gcmq2n7ewkmme5/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/wqsq3bec22nf4ncdzvct4p3q2ziajxgj/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/y3tq32jljobjdb2ejksx2pbpb5nfg2d4/

Trust: 1.0

url:https://jvn.jp/vu/jvnvu98748974/

Trust: 0.8

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5fjsatd2r2xhtg4p63gcmq2n7ewkmme5/

Trust: 0.7

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/y3tq32jljobjdb2ejksx2pbpb5nfg2d4/

Trust: 0.7

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/wqsq3bec22nf4ncdzvct4p3q2ziajxgj/

Trust: 0.7

url:https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-(cve-2021-41991).html

Trust: 0.7

url:https://access.redhat.com/security/cve/cve-2021-41991

Trust: 0.6

url:https://vigilance.fr/vulnerability/strongswan-integer-overflow-via-in-memory-certificate-cache-36667

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3463

Trust: 0.6

url:https://packetstormsecurity.com/files/164558/ubuntu-security-notice-usn-5111-2.html

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021101947

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3488

Trust: 0.6

url:https://packetstormsecurity.com/files/164554/ubuntu-security-notice-usn-5111-1.html

Trust: 0.6

url:https://ubuntu.com/security/notices/usn-5111-1

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-41990

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/190.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://ubuntu.com/security/notices/usn-5111-2

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/strongswan/5.9.1-1ubuntu3.1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/strongswan/5.8.2-1ubuntu3.3

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/strongswan/5.9.1-1ubuntu1.2

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/strongswan/5.6.2-1ubuntu2.7

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://security-tracker.debian.org/tracker/strongswan

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-45079

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://security.gentoo.org/glsa/202405-08

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-40617

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-26463

Trust: 0.1

sources: VULHUB: VHN-403107 // VULMON: CVE-2021-41991 // JVNDB: JVNDB-2021-007493 // PACKETSTORM: 164558 // PACKETSTORM: 164554 // PACKETSTORM: 169143 // PACKETSTORM: 178454 // CNNVD: CNNVD-202110-1214 // NVD: CVE-2021-41991

CREDITS

Ubuntu

Trust: 0.2

sources: PACKETSTORM: 164558 // PACKETSTORM: 164554

SOURCES

db:VULHUBid:VHN-403107
db:VULMONid:CVE-2021-41991
db:JVNDBid:JVNDB-2021-007493
db:PACKETSTORMid:164558
db:PACKETSTORMid:164554
db:PACKETSTORMid:169143
db:PACKETSTORMid:178454
db:CNNVDid:CNNVD-202110-1214
db:NVDid:CVE-2021-41991

LAST UPDATE DATE

2024-08-14T12:28:52.012000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-403107date:2022-04-12T00:00:00
db:VULMONid:CVE-2021-41991date:2021-10-21T00:00:00
db:JVNDBid:JVNDB-2021-007493date:2022-02-15T00:53:00
db:CNNVDid:CNNVD-202110-1214date:2022-02-09T00:00:00
db:NVDid:CVE-2021-41991date:2023-11-07T03:39:05.350

SOURCES RELEASE DATE

db:VULHUBid:VHN-403107date:2021-10-18T00:00:00
db:VULMONid:CVE-2021-41991date:2021-10-18T00:00:00
db:JVNDBid:JVNDB-2021-007493date:2022-02-15T00:00:00
db:PACKETSTORMid:164558date:2021-10-20T15:43:57
db:PACKETSTORMid:164554date:2021-10-19T15:31:42
db:PACKETSTORMid:169143date:2021-10-28T19:12:00
db:PACKETSTORMid:178454date:2024-05-06T13:54:27
db:CNNVDid:CNNVD-202110-1214date:2021-10-18T00:00:00
db:NVDid:CVE-2021-41991date:2021-10-18T14:15:10.333