SB2013050205 - Improper Authentication in strongSwan
Published: May 2, 2013 Updated: August 11, 2020
Security Bulletin ID
SB2013050205
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Authentication (CVE-ID: CVE-2013-2944)
The vulnerability allows a remote #AU# to read and manipulate data.
strongSwan 4.3.5 through 5.0.3, when using the OpenSSL plugin for ECDSA signature verification, allows remote attackers to authenticate as other users via an invalid signature.
Remediation
Install update from vendor's website.
References
- http://download.strongswan.org/patches/10_openssl_ecdsa_signature_patch/strongswan-4.3.5-5.0.3_openssl_ecdsa_signature.patch
- http://lists.opensuse.org/opensuse-updates/2013-05/msg00014.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00010.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00121.html
- http://www.debian.org/security/2013/dsa-2665
- http://www.securityfocus.com/bid/59580
- http://www.strongswan.org/blog/2013/04/30/strongswan-5.0.4-released-(cve-2013-2944).html