CVE-2021-41991 HIGH

Published: 2021-10-18 | Last Modified: 2024-11-21 | Status: Modified

Description

The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. The code attempts to select a less-often-used cache entry by means of a random number generator, but this is not done correctly. Remote code execution might be a slight possibility.

Additional Descriptions (1)

La caché de certificados en memoria en strongSwan versiones anteriores a 5.9.4, presenta un desbordamiento de enteros remoto al recibir muchas peticiones con diferentes certificados para llenar la caché y posteriormente desencadenar la sustitución de las entradas de la caché. El código intenta seleccionar una entrada de caché menos usada mediante un generador de números aleatorios, pero esto no es realizado correctamente. Una ejecución de código remota podría ser una pequeña posibilidad

CVSS Metrics

Base Score: 7.5 (HIGH)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	NONE
Integrity Impact	NONE
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 3.6

Base Score: 5.0 (MEDIUM)

AV:N/AC:L/Au:N/C:N/I:N/A:P

Access Vector	NETWORK
Access Complexity	LOW
Authentication	NONE
Confidentiality Impact	NONE
Integrity Impact	NONE
Availability Impact	PARTIAL

Source: [email protected]

Type: Primary

Exploitability Score: 10.0

Impact Score: 2.9

Weaknesses

Source	Type	Description
[email protected]	Primary	en CWE-190

Affected Products

Vendor	Product	Version	Update	Type
strongswan	strongswan	*	<built-in method update of dict object at 0x72a9e4185bc0>	Application
debian	debian_linux	9.0	<built-in method update of dict object at 0x72a9b0cd56c0>	Operating System
debian	debian_linux	10.0	<built-in method update of dict object at 0x72a9cc811f00>	Operating System
debian	debian_linux	11.0	<built-in method update of dict object at 0x72a9cc6177c0>	Operating System
fedoraproject	fedora	33	<built-in method update of dict object at 0x72a9e4185180>	Operating System
fedoraproject	fedora	34	<built-in method update of dict object at 0x72a9cc617a00>	Operating System
fedoraproject	fedora	35	<built-in method update of dict object at 0x72a99a346b00>	Operating System
siemens	sinema_remote_connect_server	-	<built-in method update of dict object at 0x72a9b0cd76c0>	Application
siemens	siplus_et_200sp_cp_1542sp-1_irc_tx_rail_firmware	-	<built-in method update of dict object at 0x72a99a3461c0>	Operating System
siemens	simatic_cp_1243-1_firmware	-	<built-in method update of dict object at 0x72a9e4187e80>	Operating System
siemens	simatic_cp_1242-7_gprs_v2_firmware	-	<built-in method update of dict object at 0x72a9cc810840>	Operating System
siemens	simatic_net_cp_1243-8_irc_firmware	-	<built-in method update of dict object at 0x72a9b0cd6480>	Operating System
siemens	scalance_sc632-2c_firmware	-	<built-in method update of dict object at 0x72a9cc38c4c0>	Operating System
siemens	siplus_et_200sp_cp_1543sp-1_isec_firmware	-	<built-in method update of dict object at 0x72a99a344c00>	Operating System
siemens	cp_1543-1_firmware	-	<built-in method update of dict object at 0x72a9b0cd6f00>	Operating System
siemens	simatic_net_cp_1545-1_firmware	-	<built-in method update of dict object at 0x72a9a0122a40>	Operating System
siemens	simatic_cp_1543sp-1_firmware	-	<built-in method update of dict object at 0x72a9b0cd7640>	Operating System
siemens	simatic_net_cp1243-7_lte_eu_firmware	-	<built-in method update of dict object at 0x72a9b0cd6d80>	Operating System
siemens	simatic_cp_1243-7_lte\/us_firmware	-	<built-in method update of dict object at 0x72a9a0122480>	Operating System
siemens	simatic_cp_1542sp-1_firmware	-	<built-in method update of dict object at 0x72a9cc757900>	Operating System
siemens	scalance_sc636-2c_firmware	-	<built-in method update of dict object at 0x72a9cc38c680>	Operating System
siemens	simatic_cp_1542sp-1_irc_firmware	-	<built-in method update of dict object at 0x72a9b0cd7000>	Operating System
siemens	scalance_sc642-2c_firmware	-	<built-in method update of dict object at 0x72a9cc89bd80>	Operating System
siemens	scalance_sc646-2c_firmware	*	<built-in method update of dict object at 0x72a9cc811880>	Operating System
siemens	scalance_sc622-2c_firmware	-	<built-in method update of dict object at 0x72a9cc688180>	Operating System
siemens	siplus_s7-1200_cp_1243-1_rail_firmware	-	<built-in method update of dict object at 0x72a99a344ec0>	Operating System
siemens	siplus_s7-1200_cp_1243-1_firmware	-	<built-in method update of dict object at 0x72a9cc617980>	Operating System
siemens	siplus_net_cp_1543-1_firmware	-	<built-in method update of dict object at 0x72a9cc813880>	Operating System
siemens	siplus_et_200sp_cp_1543sp-1_isec_tx_rail_firmware	-	<built-in method update of dict object at 0x72a9cc812700>	Operating System

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:strongswan:strongswan::::::::`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:debian:debian_linux:9.0:::::::*`
Yes	`cpe:2.3:o:debian:debian_linux:10.0:::::::*`
Yes	`cpe:2.3:o:debian:debian_linux:11.0:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:fedoraproject:fedora:33:::::::*`
Yes	`cpe:2.3:o:fedoraproject:fedora:34:::::::*`
Yes	`cpe:2.3:o:fedoraproject:fedora:35:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:siemens:sinema_remote_connect_server:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:siplus_et_200sp_cp_1542sp-1_irc_tx_rail_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:siplus_et_200sp_cp_1542sp-1_irc_tx_rail:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:simatic_cp_1243-1_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:simatic_cp_1243-1:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:simatic_cp_1242-7_gprs_v2_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:simatic_cp_1242-7_gprs_v2:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:simatic_net_cp_1243-8_irc_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:simatic_net_cp_1243-8_irc:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:scalance_sc632-2c_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:scalance_sc632-2c:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:siplus_et_200sp_cp_1543sp-1_isec_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:siplus_et_200sp_cp_1543sp-1_isec:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:cp_1543-1_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:cp_1543-1:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:simatic_net_cp_1545-1_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:simatic_net_cp_1545-1:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:simatic_cp_1543sp-1_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:simatic_cp_1543sp-1:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:simatic_net_cp1243-7_lte_eu_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:simatic_net_cp1243-7_lte_eu:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:simatic_cp_1243-7_lte\/us_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:simatic_cp_1243-7_lte\/us:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:simatic_cp_1542sp-1_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:simatic_cp_1542sp-1:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:scalance_sc636-2c_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:scalance_sc636-2c:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:simatic_cp_1542sp-1_irc_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:simatic_cp_1542sp-1_irc:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:scalance_sc642-2c_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:scalance_sc642-2c:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:scalance_sc646-2c_firmware::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:scalance_sc646-2c:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:scalance_sc622-2c_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:scalance_sc622-2c:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:siplus_s7-1200_cp_1243-1_rail_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:siplus_s7-1200_cp_1243-1_rail:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:siplus_s7-1200_cp_1243-1_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:siplus_s7-1200_cp_1243-1:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:siplus_net_cp_1543-1_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:siplus_net_cp_1543-1:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:siplus_et_200sp_cp_1543sp-1_isec_tx_rail_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:siplus_et_200sp_cp_1543sp-1_isec_tx_rail:-:::::::*`

References

https://cert-portal.siemens.com/productcert/pdf/ssa-539476.pdf
Source: [email protected]

Patch Third Party Advisory
https://github.com/strongswan/strongswan/releases/tag/5.9.4
Source: [email protected]

Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00014.html
Source: [email protected]

Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5FJSATD2R2XHTG4P63GCMQ2N7EWKMME5/
Source: [email protected]
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQSQ3BEC22NF4NCDZVCT4P3Q2ZIAJXGJ/
Source: [email protected]
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3TQ32JLJOBJDB2EJKSX2PBPB5NFG2D4/
Source: [email protected]
https://www.debian.org/security/2021/dsa-4989
Source: [email protected]

Third Party Advisory
https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-%28cve-2021-41991%29.html
Source: [email protected]
https://cert-portal.siemens.com/productcert/pdf/ssa-539476.pdf
Source: af854a3a-2127-422b-91ae-364da2661108

Patch Third Party Advisory
https://github.com/strongswan/strongswan/releases/tag/5.9.4
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00014.html
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5FJSATD2R2XHTG4P63GCMQ2N7EWKMME5/
Source: af854a3a-2127-422b-91ae-364da2661108
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQSQ3BEC22NF4NCDZVCT4P3Q2ZIAJXGJ/
Source: af854a3a-2127-422b-91ae-364da2661108
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3TQ32JLJOBJDB2EJKSX2PBPB5NFG2D4/
Source: af854a3a-2127-422b-91ae-364da2661108
https://www.debian.org/security/2021/dsa-4989
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-%28cve-2021-41991%29.html
Source: af854a3a-2127-422b-91ae-364da2661108