Strongswan vulnerability CVE-2015-3991

Advisory ID	CVE Number	Date discovered	Severity	Advisory revision
STORM-2015-016	CVE-2015-3991	11/17/2015	medium	v1

Vulnerability details

A vulnerability was reported in strongSwan.

A remote attacker can exploit it by sending specially crafted IKE messages in order to crash the daemon and potentially execute arbitrary code. This vulnerability occurs when a IKE message contains payloads that are only defined for the respective other version (eg. an IKEv1 Main Mode message with a IKEv2 notify).

Impacted products

Products	Severity	Detail
Stormshield Network Security	medium	SNS ships a vulnerable version of Strongswan

Revisions

Version	Date	Description
v1	11/17/2015	Initial release

Stormshield Network Security

CVSS v2 Overall Score: 6

Analysis

Impacted version

The bug can be triggered by an IKEv1 or IKEv2 message that contains payloads that are only defined for the respective other IKE version. For instance, sending an IKEv1 Main Mode message containing a payload with type 41 (IKEv2 Notify) will crash the daemon when a short summary of the contents of the message is logged (“parsed ID_PROT request 0 [… ]”). Other payload types may trigger crashes in other places.

SNS 2.0.0 to 2.2.2

Workaround solution	Solution
There is no workaround solution.	The 2.2.3 update will fix this vulnerability.

Access vector	Access complexity	Authentication	Confidentiality impact	Integrity impact	Availability impact
Network	Low	None	Complete	Complete	Partial

CVSS Base score: 9.7	CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:P)

Exploitability	Remediation Level	Report Confidence
Unproven that exploit exists	Official fix	Confirmed

CVSS Temporal score: 7.1	CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:P/E:U/RL:OF/RC:C)

Collateral Damage Potential	Target Distribution
Low-Medium	Medium [26-75%]

CVSS Environmental score: 6	CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:P/E:U/RL:OF/RC:C/CDP:LM/TD:M/CR:ND/IR:ND/AR:ND)