Check Point Advisories

strongSwan Certificate and Identification Payload Parsing Buffer Overflow (CVE-2010-2628)

Vulnerability
Protection

Check Point Reference:	CPAI-2010-442
Date Published:	4 Oct 2010
Severity:	Critical
Last Updated:	Monday 04 October, 2010
Source:
Industry Reference:	CVE-2010-2628
Protection Provided by:	Security Gateway R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description	strongSwan is an open-source implementation of IPsec for Linux platforms including Debian, Ubuntu, FreeBSD and Mac OS X. It is a scalable VPN solution that supports the Internet Key Exchange (IKE) protocol version 1 as well as IKEv2. A remote code execution vulnerability has been reported in strongSwan. The vulnerability is due to an improper parsing the certificates and identification payload. A remote attacker could exploit this issue via a specially crafted certificate or identification payload. Successful exploitation of this vulnerability would allow injection and execution of arbitrary code in the context of user root and may cause termination of the pluto IKE daemon resulting in a denial of service condition.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

In the IPS tab, click Protections and find the strongSwan Certificate and Identification Payload Parsing Buffer Overflow protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: IKE Protection Violation.
Attack Information: strongSwan certificate and identification payload parsing buffer overflow