[Pkg-swan-devel] [strongswan] 01/02: Fix CVE-2015-4171
Yves-Alexis Perez
corsac at moszumanska.debian.org
Mon Jun 8 14:51:59 UTC 2015
This is an automated email from the git hooks/post-receive script.
corsac pushed a commit to branch wheezy-security
in repository strongswan.
commit 106c42b96d01d3e3de8ce14804db9bf114628860
Author: Yves-Alexis Perez <corsac at debian.org>
Date: Thu Jun 4 09:22:01 2015 +0200
Fix CVE-2015-4171
* debian/patches:
- CVE-2015-4171_enforce_remote_auth added, fix potential leak of
authentication credential to rogue server when using PSK or EAP. This is
CVE-2015-4171.
---
debian/changelog | 9 ++
.../CVE-2015-4171_enforce_remote_auth.patch | 101 +++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 111 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 7361bbc..0eb3192 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+strongswan (4.5.2-1.5+deb7u7) UNRELEASED; urgency=medium
+
+ * debian/patches:
+ - CVE-2015-4171_enforce_remote_auth added, fix potential leak of
+ authentication credential to rogue server when using PSK or EAP. This is
+ CVE-2015-4171.
+
+ -- Yves-Alexis Perez <corsac at debian.org> Thu, 04 Jun 2015 09:21:08 +0200
+
strongswan (4.5.2-1.5+deb7u6) wheezy-security; urgency=high
* debian/patches:
diff --git a/debian/patches/CVE-2015-4171_enforce_remote_auth.patch b/debian/patches/CVE-2015-4171_enforce_remote_auth.patch
new file mode 100644
index 0000000..da02920
--- /dev/null
+++ b/debian/patches/CVE-2015-4171_enforce_remote_auth.patch
@@ -0,0 +1,101 @@
+From 5bcd3eee8b8b550f606dde420d37b202404147ed Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin at strongswan.org>
+Date: Wed, 3 Jun 2015 10:52:34 +0200
+Subject: [PATCH] ikev2: Enforce remote authentication config before proceeding
+ with own authentication
+
+Previously the constraints in the authentication configuration of an
+initiator were enforced only after all authentication rounds were
+complete. This posed a problem if an initiator used EAP or PSK
+authentication while the responder was authenticated with a certificate
+and if a rogue server was able to authenticate itself with a valid
+certificate issued by any CA the initiator trusted.
+
+Because any constraints for the responder's identity (rightid) or other
+aspects of the authentication (e.g. rightca) the initiator had were not
+enforced until the initiator itself finished its authentication such a rogue
+responder was able to acquire usernames and password hashes from the client.
+And if a client supported EAP-GTC it was even possible to trick it into
+sending plaintext passwords.
+
+This patch enforces the configured constraints right after the responder's
+authentication successfully finished for each round and before the initiator
+starts with its own authentication.
+
+Fixes CVE-2015-4171.
+---
+ src/libcharon/sa/tasks/ike_auth.c | 44 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 44 insertions(+)
+
+diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c
+index 0756c7d603b9..dc889ea7ff96 100644
+--- a/src/libcharon/sa/tasks/ike_auth.c
++++ b/src/libcharon/sa/tasks/ike_auth.c
+@@ -111,6 +111,11 @@ struct private_ike_auth_t {
+ * received an INITIAL_CONTACT?
+ */
+ bool initial_contact;
++
++ /**
++ * Is EAP acceptable, did we strictly authenticate peer?
++ */
++ bool eap_acceptable;
+ };
+
+ /**
+@@ -828,6 +833,37 @@ METHOD(task_t, build_r, status_t,
+ return NEED_MORE;
+ }
+
++/**
++ * Check if strict constraint fullfillment required to continue current auth
++ */
++static bool require_strict(private_ike_auth_t *this, bool mutual_eap)
++{
++ auth_cfg_t *cfg;
++
++ if (this->eap_acceptable)
++ {
++ return FALSE;
++ }
++
++ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
++ switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
++ {
++ case AUTH_CLASS_EAP:
++ if (mutual_eap && this->my_auth)
++ {
++ this->eap_acceptable = TRUE;
++ return !this->my_auth->is_mutual(this->my_auth);
++ }
++ return TRUE;
++ case AUTH_CLASS_PSK:
++ return TRUE;
++ case AUTH_CLASS_PUBKEY:
++ case AUTH_CLASS_ANY:
++ default:
++ return FALSE;
++ }
++}
++
+ METHOD(task_t, process_i, status_t,
+ private_ike_auth_t *this, message_t *message)
+ {
+@@ -962,6 +998,14 @@ METHOD(task_t, process_i, status_t,
+ this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
+ }
+
++ if (require_strict(this, mutual_eap))
++ {
++ if (!update_cfg_candidates(this, TRUE))
++ {
++ return FAILED;
++ }
++ }
++
+ if (this->my_auth)
+ {
+ switch (this->my_auth->process(this->my_auth, message))
+--
+1.9.1
+
diff --git a/debian/patches/series b/debian/patches/series
index a59fa08..21aa3e1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@ CVE-2014-2338-4.x.patch
CVE-2014-2891.patch
CVE-2014-9221_modp_custom.patch
CVE-2014-9221_dh_group.patch
+CVE-2015-4171_enforce_remote_auth.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-swan/strongswan.git
More information about the Pkg-swan-devel
mailing list