ID CVE-2011-4073
Summary Use-after-free vulnerability in the cryptographic helper handler functionality in Openswan 2.3.0 through 2.6.36 allows remote authenticated users to cause a denial of service (pluto IKE daemon crash) via vectors related to the (1) quick_outI1_continue and (2) quick_outI1 functions.
References
Vulnerable Configurations
  • Openswan 2.3.0
    cpe:2.3:a:openswan:openswan:2.3.0
  • Openswan 2.3.1
    cpe:2.3:a:openswan:openswan:2.3.1
  • Openswan 2.4
    cpe:2.3:a:openswan:openswan:2.4
  • Openswan 2.4.5
    cpe:2.3:a:openswan:openswan:2.4.5
  • Openswan 2.4.3
    cpe:2.3:a:openswan:openswan:2.4.3
  • Openswan 2.4.6
    cpe:2.3:a:openswan:openswan:2.4.6
  • Openswan 2.4.7
    cpe:2.3:a:openswan:openswan:2.4.7
  • Openswan 2.4.8
    cpe:2.3:a:openswan:openswan:2.4.8
  • Openswan 2.4.11
    cpe:2.3:a:openswan:openswan:2.4.11
  • Openswan 2.4.9
    cpe:2.3:a:openswan:openswan:2.4.9
  • Openswan 2.4.1
    cpe:2.3:a:openswan:openswan:2.4.1
  • Openswan 2.4.2
    cpe:2.3:a:openswan:openswan:2.4.2
  • Openswan 2.4.10
    cpe:2.3:a:openswan:openswan:2.4.10
  • Openswan 2.4.4
    cpe:2.3:a:openswan:openswan:2.4.4
  • Openswan 2.5.0
    cpe:2.3:a:openswan:openswan:2.5.0
  • Openswan 2.5.01
    cpe:2.3:a:openswan:openswan:2.5.01
  • Openswan 2.5.02
    cpe:2.3:a:openswan:openswan:2.5.02
  • Openswan 2.5.03
    cpe:2.3:a:openswan:openswan:2.5.03
  • Openswan 2.5.0sbs4
    cpe:2.3:a:openswan:openswan:2.5.0:sbs4
  • Openswan 2.5.0sbs5
    cpe:2.3:a:openswan:openswan:2.5.0:sbs5
  • Openswan 2.5.04
    cpe:2.3:a:openswan:openswan:2.5.04
  • Openswan 2.5.05
    cpe:2.3:a:openswan:openswan:2.5.05
  • Openswan 2.5.06
    cpe:2.3:a:openswan:openswan:2.5.06
  • Openswan 2.5.07
    cpe:2.3:a:openswan:openswan:2.5.07
  • Openswan 2.5.08
    cpe:2.3:a:openswan:openswan:2.5.08
  • Openswan 2.5.09
    cpe:2.3:a:openswan:openswan:2.5.09
  • Openswan 2.5.10
    cpe:2.3:a:openswan:openswan:2.5.10
  • Openswan 2.5.11
    cpe:2.3:a:openswan:openswan:2.5.11
  • Openswan 2.5.12
    cpe:2.3:a:openswan:openswan:2.5.12
  • Openswan 2.5.13
    cpe:2.3:a:openswan:openswan:2.5.13
  • Openswan 2.5.14
    cpe:2.3:a:openswan:openswan:2.5.14
  • Openswan 2.5.15
    cpe:2.3:a:openswan:openswan:2.5.15
  • Openswan 2.4.12
    cpe:2.3:a:openswan:openswan:2.4.12
  • Openswan 2.6.01
    cpe:2.3:a:openswan:openswan:2.6.01
  • Openswan 2.6.02
    cpe:2.3:a:openswan:openswan:2.6.02
  • Openswan 2.6.03
    cpe:2.3:a:openswan:openswan:2.6.03
  • Openswan 2.6.04
    cpe:2.3:a:openswan:openswan:2.6.04
  • Openswan 2.6.05
    cpe:2.3:a:openswan:openswan:2.6.05
  • Openswan 2.6.06
    cpe:2.3:a:openswan:openswan:2.6.06
  • Openswan 2.5.16
    cpe:2.3:a:openswan:openswan:2.5.16
  • Openswan 2.5.17
    cpe:2.3:a:openswan:openswan:2.5.17
  • Openswan 2.5.18
    cpe:2.3:a:openswan:openswan:2.5.18
  • Openswan 2.6.07
    cpe:2.3:a:openswan:openswan:2.6.07
  • Openswan 2.6.08
    cpe:2.3:a:openswan:openswan:2.6.08
  • Openswan 2.6.09
    cpe:2.3:a:openswan:openswan:2.6.09
  • Openswan 2.6.10
    cpe:2.3:a:openswan:openswan:2.6.10
  • Openswan 2.6.11
    cpe:2.3:a:openswan:openswan:2.6.11
  • Openswan 2.6.12
    cpe:2.3:a:openswan:openswan:2.6.12
  • Openswan 2.6.13
    cpe:2.3:a:openswan:openswan:2.6.13
  • Openswan 2.6.14
    cpe:2.3:a:openswan:openswan:2.6.14
  • Openswan 2.4.13
    cpe:2.3:a:openswan:openswan:2.4.13
  • Openswan 2.6.15
    cpe:2.3:a:openswan:openswan:2.6.15
  • Openswan 2.6.16
    cpe:2.3:a:openswan:openswan:2.6.16
  • Openswan 2.6.28
    cpe:2.3:a:openswan:openswan:2.6.28
  • Openswan 2.6.29
    cpe:2.3:a:openswan:openswan:2.6.29
  • Openswan 2.6.20
    cpe:2.3:a:openswan:openswan:2.6.20
  • Openswan 2.6.19
    cpe:2.3:a:openswan:openswan:2.6.19
  • Openswan 2.6.18
    cpe:2.3:a:openswan:openswan:2.6.18
  • Openswan 2.6.17
    cpe:2.3:a:openswan:openswan:2.6.17
  • Openswan 2.6.35
    cpe:2.3:a:openswan:openswan:2.6.35
  • Openswan 2.6.36
    cpe:2.3:a:openswan:openswan:2.6.36
  • Openswan 2.6.27
    cpe:2.3:a:openswan:openswan:2.6.27
  • Openswan 2.6.30
    cpe:2.3:a:openswan:openswan:2.6.30
  • Openswan 2.6.26
    cpe:2.3:a:openswan:openswan:2.6.26
  • Openswan 2.6.25
    cpe:2.3:a:openswan:openswan:2.6.25
  • Openswan 2.6.24
    cpe:2.3:a:openswan:openswan:2.6.24
  • Openswan 2.6.33
    cpe:2.3:a:openswan:openswan:2.6.33
  • Openswan 2.6.23
    cpe:2.3:a:openswan:openswan:2.6.23
  • Openswan 2.6.34
    cpe:2.3:a:openswan:openswan:2.6.34
  • Openswan 2.6.22
    cpe:2.3:a:openswan:openswan:2.6.22
  • Openswan 2.6.31
    cpe:2.3:a:openswan:openswan:2.6.31
  • Openswan 2.6.21
    cpe:2.3:a:openswan:openswan:2.6.21
  • Openswan 2.6.32
    cpe:2.3:a:openswan:openswan:2.6.32
CVSS
Base: 4.0 (as of 18-11-2011 - 12:19)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-15077.NASL
    description New upstream release for CVE-2011-4073 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 57070
    published 2011-12-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57070
    title Fedora 15 : openswan-2.6.37-1.fc15 (2011-15077)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_OPENSWAN-111114.NASL
    description openswan's crypto helper was prone to an use-after-free flaw which could potentially allow remote attackers to cause a Denial of Service (CVE-2011-4073, bnc#727002). Additionally, the following issues have been fixed : - AH handshake problems (bnc#713986), - potential dereference of no longer valid pointers, - mode handling issues
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 57125
    published 2011-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57125
    title SuSE 11.1 Security Update : openswan (SAT Patch Number 5424)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201203-13.NASL
    description The remote host is affected by the vulnerability described in GLSA-201203-13 (Openswan: Denial of Service) Two vulnerabilities have been found in Openswan: Improper permissions are used on /var/run/starter.pid and /var/lock/subsys/ipsec (CVE-2011-2147). Openswan contains a use-after-free error in the cryptographic helper handler (CVE-2011-4073). Impact : A remote authenticated attacker or a local attacker may be able to cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 58378
    published 2012-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58378
    title GLSA-201203-13 : Openswan: Denial of Service
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20111102_OPENSWAN_ON_SL5_X.NASL
    description Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. A use-after-free flaw was found in the way Openswan's pluto IKE daemon used cryptographic helpers. A remote, authenticated attacker could send a specially crafted IKE packet that would crash the pluto daemon. This issue only affected SMP (symmetric multiprocessing) systems that have the cryptographic helpers enabled. The helpers are disabled by default on Scientific Linux 5, but enabled by default on Scientific Linux 6. (CVE-2011-4073) All users of openswan are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the ipsec service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61167
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61167
    title Scientific Linux Security Update : openswan on SL5.x, SL6.x i386/x86_64
  • NASL family Misc.
    NASL id OPENSWAN_IKE_50440.NASL
    description The remote host is running a version of Openswan prior to version 2.6.37. It is, therefore, affected by a remote denial of service vulnerability due to a use-after-free flaw in the cryptographic helper handler. A remote attacker can exploit this issue to cause a denial of service.
    last seen 2019-02-21
    modified 2018-07-17
    plugin id 81053
    published 2015-01-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81053
    title Openswan < 2.6.37 Cryptographic Helper Use-After-Free Remote DoS
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-1422.NASL
    description Updated openswan packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. A use-after-free flaw was found in the way Openswan's pluto IKE daemon used cryptographic helpers. A remote, authenticated attacker could send a specially crafted IKE packet that would crash the pluto daemon. This issue only affected SMP (symmetric multiprocessing) systems that have the cryptographic helpers enabled. The helpers are disabled by default on Red Hat Enterprise Linux 5, but enabled by default on Red Hat Enterprise Linux 6. (CVE-2011-4073) Red Hat would like to thank the Openswan project for reporting this issue. Upstream acknowledges Petar Tsankov, Mohammad Torabi Dashti and David Basin of the information security group at ETH Zurich as the original reporters. All users of openswan are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the ipsec service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 56698
    published 2011-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56698
    title RHEL 5 / 6 : openswan (RHSA-2011:1422)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_OPENSWAN-7836.NASL
    description openswan's crypto helper was prone to an use-after-free flaw which could potentially allow remote attackers to cause a Denial of Service (CVE-2011-4073, bnc#727002). Additionally, a potential dereference of a no longer valid pointer has been fixed.
    last seen 2019-02-21
    modified 2012-10-03
    plugin id 57237
    published 2011-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57237
    title SuSE 10 Security Update : openswan (ZYPP Patch Number 7836)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2011-18.NASL
    description A use-after-free flaw was found in the way Openswan's pluto IKE daemon used cryptographic helpers. A remote, authenticated attacker could send a specially crafted IKE packet that would crash the pluto daemon. This issue only affected SMP (symmetric multiprocessing) systems that have the cryptographic helpers enabled.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 69577
    published 2013-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69577
    title Amazon Linux AMI : openswan (ALAS-2011-18)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2374.NASL
    description The information security group at ETH Zurich discovered a denial of service vulnerability in the crypto helper handler of the IKE daemon pluto. More information can be found in the upstream advisory.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 57514
    published 2012-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57514
    title Debian DSA-2374-1 : openswan - implementation error
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-15196.NASL
    description new upstream release for CVE-2011-4073 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 57072
    published 2011-12-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57072
    title Fedora 16 : openswan-2.6.37-1.fc16 (2011-15196)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-1422.NASL
    description From Red Hat Security Advisory 2011:1422 : Updated openswan packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. A use-after-free flaw was found in the way Openswan's pluto IKE daemon used cryptographic helpers. A remote, authenticated attacker could send a specially crafted IKE packet that would crash the pluto daemon. This issue only affected SMP (symmetric multiprocessing) systems that have the cryptographic helpers enabled. The helpers are disabled by default on Red Hat Enterprise Linux 5, but enabled by default on Red Hat Enterprise Linux 6. (CVE-2011-4073) Red Hat would like to thank the Openswan project for reporting this issue. Upstream acknowledges Petar Tsankov, Mohammad Torabi Dashti and David Basin of the information security group at ETH Zurich as the original reporters. All users of openswan are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the ipsec service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68381
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68381
    title Oracle Linux 5 / 6 : openswan (ELSA-2011-1422)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2011-1422.NASL
    description Updated openswan packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. A use-after-free flaw was found in the way Openswan's pluto IKE daemon used cryptographic helpers. A remote, authenticated attacker could send a specially crafted IKE packet that would crash the pluto daemon. This issue only affected SMP (symmetric multiprocessing) systems that have the cryptographic helpers enabled. The helpers are disabled by default on Red Hat Enterprise Linux 5, but enabled by default on Red Hat Enterprise Linux 6. (CVE-2011-4073) Red Hat would like to thank the Openswan project for reporting this issue. Upstream acknowledges Petar Tsankov, Mohammad Torabi Dashti and David Basin of the information security group at ETH Zurich as the original reporters. All users of openswan are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the ipsec service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 56694
    published 2011-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56694
    title CentOS 5 : openswan (CESA-2011:1422)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-15127.NASL
    description Fixes for CVE-2011-4073. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 57071
    published 2011-12-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57071
    title Fedora 14 : openswan-2.6.33-3.fc14 (2011-15127)
redhat via4
advisories
bugzilla
id 748961
title CVE-2011-4073 openswan: use-after-free vulnerability leads to DoS
oval
OR
  • AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment openswan is earlier than 0:2.6.32-4.el6_1.4
          oval oval:com.redhat.rhsa:tst:20111422005
        • comment openswan is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100892006
      • AND
        • comment openswan-doc is earlier than 0:2.6.32-4.el6_1.4
          oval oval:com.redhat.rhsa:tst:20111422007
        • comment openswan-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100892008
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • OR
      • AND
        • comment openswan is earlier than 0:2.6.21-5.el5_7.6
          oval oval:com.redhat.rhsa:tst:20111422010
        • comment openswan is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090402003
      • AND
        • comment openswan-doc is earlier than 0:2.6.21-5.el5_7.6
          oval oval:com.redhat.rhsa:tst:20111422012
        • comment openswan-doc is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090402005
rhsa
id RHSA-2011:1422
released 2011-11-02
severity Moderate
title RHSA-2011:1422: openswan security update (Moderate)
rpms
  • openswan-0:2.6.32-4.el6_1.4
  • openswan-doc-0:2.6.32-4.el6_1.4
  • openswan-0:2.6.21-5.el5_7.6
  • openswan-doc-0:2.6.21-5.el5_7.6
refmap via4
bid 50440
confirm http://www.openswan.org/download/CVE-2011-4073/CVE-2011-4073.txt
debian DSA-2374
sectrack 1026268
secunia
  • 46678
  • 46681
  • 47342
Last major update 12-03-2012 - 00:00
Published 17-11-2011 - 14:55
Back to Top