#VU42736 Input validation error in strongSwan - CVE-2013-2054

Cybersecurity Help s.r.o.

Published: 2013-07-09 | Updated: 2022-04-29

Vulnerability identifier: #VU42736

Vulnerability risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2013-2054

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
strongSwan
Server applications / Encryption software

Vendor: strongswan.org

Description

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (pluto IKE daemon crash) and possibly execute arbitrary code via crafted DNS TXT records.

Mitigation
Install update from vendor's website.

Vulnerable software versions

strongSwan: 2.0.0 - 4.3.4

External links
https://download.strongswan.org/security/CVE-2013-2054/CVE-2013-2054.txt
https://www.securityfocus.com/bid/59837
https://lists.libreswan.org/pipermail/swan-announce/2013/000003.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for strongSwan

Input validation error in strongSwan