 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.702893 |
| Category: | Debian Local Security Checks |
| Title: | Debian: Security Advisory (DSA-2893-1) |
| Summary: | The remote host is missing an update for the Debian 'openswan' package(s) announced via the DSA-2893-1 advisory. |
| Description: | Summary: The remote host is missing an update for the Debian 'openswan' package(s) announced via the DSA-2893-1 advisory. Vulnerability Insight: Two vulnerabilities were fixed in Openswan, an IKE/IPsec implementation for Linux. CVE-2013-2053 During an audit of Libreswan (with which Openswan shares some code), Florian Weimer found a remote buffer overflow in the atodn() function. This vulnerability can be triggered when Opportunistic Encryption (OE) is enabled and an attacker controls the PTR record of a peer IP address. Authentication is not needed to trigger the vulnerability. CVE-2013-6466 Iustina Melinte found a vulnerability in Libreswan which also applies to the Openswan code. By carefully crafting IKEv2 packets, an attacker can make the pluto daemon dereference non-received IKEv2 payload, leading to the daemon crash. Authentication is not needed to trigger the vulnerability. Patches were originally written to fix the vulnerabilities in Libreswan, and have been ported to Openswan by Paul Wouters from the Libreswan Project. Since the Openswan package is not maintained anymore in the Debian distribution and is not available in testing and unstable suites, it is recommended for IKE/IPsec users to switch to a supported implementation like strongSwan. For the oldstable distribution (squeeze), these problems have been fixed in version 2.6.28+dfsg-5+squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 2.6.37-3.1. We recommend that you upgrade your openswan packages. Affected Software/OS: 'openswan' package(s) on Debian 6, Debian 7. Solution: Please install the updated package(s). CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2013-2053 59838 http://www.securityfocus.com/bid/59838 DSA-2893 http://www.debian.org/security/2014/dsa-2893 RHSA-2013:0827 http://rhn.redhat.com/errata/RHSA-2013-0827.html SUSE-SU-2013:1150 http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00008.html [Swan-announce] 20130514 CVE-2013-2052: Libreswan remote buffer overflow in atodn() https://lists.libreswan.org/pipermail/swan-announce/2013/000003.html https://bugzilla.redhat.com/show_bug.cgi?id=960229 https://www.openswan.org/news/13 Common Vulnerability Exposure (CVE) ID: CVE-2013-6466 65155 http://www.securityfocus.com/bid/65155 RHSA-2014:0185 http://rhn.redhat.com/errata/RHSA-2014-0185.html https://cert.vde.com/en-us/advisories/vde-2017-001 https://libreswan.org/security/CVE-2013-6467/CVE-2013-6467.txt openswan-cve20136466-dos(90524) https://exchange.xforce.ibmcloud.com/vulnerabilities/90524 |
| Copyright | Copyright (C) 2014 Greenbone AG |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |