"Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon."
"The issue exists because the parser does not check the AVP's length value, which leads to a 32-bit integer underflow for length values between 0 and 7."
"Successful exploitation of the flaw requires a two-phase attack, where a malicious packet corrupts the heap and a second packet triggers the segmentation fault, crashing the daemon."
StrongSwan's EAP-TTLS AVP parser has a high-severity vulnerability affecting versions 4.5.0 to 6.0.4. This vulnerability allows remote exploitation without authentication, potentially taking VPN services offline. The issue arises from an integer underflow bug that fails to validate AVP length fields, leading to excessive memory allocation or NULL pointer dereference. Successful exploitation requires a two-phase attack involving a malicious packet and a subsequent packet that triggers a segmentation fault. The vulnerability has been addressed in newer versions of StrongSwan.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]