Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.63711
Category:Red Hat Local Security Checks
Title:RedHat Security Advisory RHSA-2009:0402
Summary:NOSUMMARY
Description:Description:
The remote host is missing updates announced in
advisory RHSA-2009:0402.

Openswan is a free implementation of Internet Protocol Security (IPsec)
and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide
both authentication and encryption services. These services allow you to
build secure tunnels through untrusted networks. Everything passing through
the untrusted network is encrypted by the IPsec gateway machine, and
decrypted by the gateway at the other end of the tunnel. The resulting
tunnel is a virtual private network (VPN).

Gerd v. Egidy discovered a flaw in the Dead Peer Detection (DPD) in
Openswan's pluto IKE daemon. A remote attacker could use a malicious DPD
packet to crash the pluto daemon. (CVE-2009-0790)

It was discovered that Openswan's livetest script created temporary files
in an insecure manner. A local attacker could use this flaw to overwrite
arbitrary files owned by the user running the script. (CVE-2008-4190)

Note: The livetest script is an incomplete feature and was not
automatically executed by any other script distributed with Openswan, or
intended to be used at all, as was documented in its man page. In these
updated packages, the script only prints an informative message and exits
immediately when run.

All users of openswan are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. After installing
this update, the ipsec service will be restarted automatically.

Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date

http://rhn.redhat.com/errata/RHSA-2009-0402.html
http://www.redhat.com/security/updates/classification/#important

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2008-4190
BugTraq ID: 31243
http://www.securityfocus.com/bid/31243
Bugtraq: 20090310 Re: [ GLSA 200903-18 ] Openswan: Insecure temporary file creation (Google Search)
http://www.securityfocus.com/archive/1/501624/100/0/threaded
http://www.securityfocus.com/archive/1/501640/100/0/threaded
Debian Security Information: DSA-1760 (Google Search)
http://www.debian.org/security/2009/dsa-1760
https://www.exploit-db.com/exploits/9135
http://www.openwall.com/lists/oss-security/2008/10/30/2
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10078
http://www.redhat.com/support/errata/RHSA-2009-0402.html
http://secunia.com/advisories/34182
http://secunia.com/advisories/34472
XForce ISS Database: openswan-livetest-symlink(45250)
https://exchange.xforce.ibmcloud.com/vulnerabilities/45250
Common Vulnerability Exposure (CVE) ID: CVE-2009-0790
BugTraq ID: 34296
http://www.securityfocus.com/bid/34296
Bugtraq: 20090330 CVE-2009-0790: ISAKMP DPD Remote Vulnerability with Openswan & Strongswan IPsec (Google Search)
http://www.securityfocus.com/archive/1/502270/100/0/threaded
Debian Security Information: DSA-1759 (Google Search)
http://www.debian.org/security/2009/dsa-1759
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11171
http://www.securitytracker.com/id?1021949
http://www.securitytracker.com/id?1021950
http://secunia.com/advisories/34483
http://secunia.com/advisories/34494
http://secunia.com/advisories/34546
SuSE Security Announcement: SUSE-SR:2009:009 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html
http://www.vupen.com/english/advisories/2009/0886
XForce ISS Database: openswan-strongswan-dpd-dos(49523)
https://exchange.xforce.ibmcloud.com/vulnerabilities/49523
CopyrightCopyright (c) 2009 E-Soft Inc. http://www.securityspace.com

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2021 E-Soft Inc. All rights reserved.