Vulnerability ID: CVE-2013-2054 Vulnerability Type: Remote Buffer Overflow Affected Products and Versions: - strongSwan 2.0.0 to 4.3.4 Unaffected Versions: - strongSwan 4.3.5 to 5.0.4 Vulnerability Description: - When Opportunistic Encryption ("OE") is enabled, strongSwan does not support the OE keyword via the ipsec.conf configuration file. As a result, the IKE daemon pluto requests DNS TXT records to retrieve public RSA keys and peer information. These records may contain an IPsec gateway specification including a fully-qualified hostname, which is passed to the atoid() function. - Parsing DNS TXT records containing the "=" symbol may lead to a buffer overflow, potentially allowing remote code execution, especially if the overflow reaches the struct kernel_ops (function pointer table). Exploitation Conditions: - This vulnerability cannot be triggered via the strongSwan ipsec.conf configuration file, but experts can manually enable Opportunistic Encryption using the ipsec whack script. - The attacker must control the reverse DNS entry for the target host's IP address. - The attacker only needs to trigger a connection to an IP address within a controlled reverse DNS zone, where malicious DNS records can be placed. Mitigation Measures: - Upgrade to strongSwan 4.3.5 or later. - If upgrading is not possible, download the signed patch for this vulnerability from: http://download.strongswan.org/security/CVE-2013-2054/ Related Vulnerabilities: - For information related to libreswan, see CVE-2013-2052. - For information related to openswan, see CVE-2013-2053. Discoverer: - Florian Weimer from the Red Hat Product Security Team.