Vulnerability CVE-2009-1632

Vulnerability Name:

CVE-2009-1632

Assigned:

2009-04-22

Published:

2009-04-22

Updated:

2017-09-29

Summary:

Multiple memory leaks in Ipsec-tools before 0.7.2 allow remote attackers to cause a denial of service (memory consumption) via vectors involving (1) signature verification during user authentication with X.509 certificates, related to the eay_check_x509sign function in src/racoon/crypto_openssl.c; and (2) the NAT-Traversal (aka NAT-T) keepalive implementation, related to src/racoon/nattraversal.c.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-399
CWE-401

References:

Vulnerable Configuration:

Configuration 1:

cpe:/a:ipsec-tools:ipsec-tools:0.1:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.2:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.2.1:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.2.2:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.2.3:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.2.4:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.3:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.3:rc1:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.3:rc2:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.3:rc3:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.3:rc4:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.3:rc5:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.3.1:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.3.2:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.3.3:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.3_rc1:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.3_rc2:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.3_rc3:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.3_rc4:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.3_rc5:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.4:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.4:rc1:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.5:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.5.1:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.5.2:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.6:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.6.1:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.6.2:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.6.3:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.6.4:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.6.5:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.6.6:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.6.7:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:0.7:*:*:*:*:*:*:*

OR cpe:/a:ipsec-tools:ipsec-tools:*:*:*:*:*:*:*:* (Version <= 0.7.1)

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20091632	V	CVE-2009-1632	2022-05-20
oval:org.opensuse.security:def:26148	P	Security update for javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags (Important)	2021-10-15
oval:org.opensuse.security:def:32177	P	Security update for bind (Moderate)	2021-08-30
oval:org.opensuse.security:def:29405	P	Security update for djvulibre (Important)	2021-08-05
oval:org.opensuse.security:def:26073	P	Security update for libjpeg-turbo (Moderate)	2021-06-11
oval:org.opensuse.security:def:26072	P	Security update for caribou (Important)	2021-06-10
oval:org.opensuse.security:def:36523	P	novell-ipsec-tools-0.7.1-2.29.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:29369	P	Security update for djvulibre (Important)	2021-05-31
oval:org.opensuse.security:def:32270	P	Security update for wpa_supplicant (Important)	2021-03-09
oval:org.opensuse.security:def:26084	P	Security update for postgresql, postgresql12, postgresql13 (Important)	2021-01-26
oval:org.opensuse.security:def:26276	P	Security update for python (Moderate)	2020-12-01
oval:org.opensuse.security:def:33418	P	Security update for NetworkManager	2020-12-01
oval:org.opensuse.security:def:31958	P	Security update for gtk2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:28687	P	Security update for flash-player (Moderate)	2020-12-01
oval:org.opensuse.security:def:26751	P	libltdl7 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32414	P	Security update for wireshark (Moderate)	2020-12-01
oval:org.opensuse.security:def:28237	P	Security update for LibVNCServer (Moderate)	2020-12-01
oval:org.opensuse.security:def:32780	P	quagga on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31957	P	Security update for gdk2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:28671	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:26702	P	fuse on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32327	P	Security update for samba (Moderate)	2020-12-01
oval:org.opensuse.security:def:28153	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:27521	P	novell-ipsec-tools on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32736	P	libvirt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28632	P	Security update for a2ps	2020-12-01
oval:org.opensuse.security:def:26649	P	wireshark on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28023	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:27486	P	libsoup-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32714	P	libgtop on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28583	P	Security update for libtiff	2020-12-01
oval:org.opensuse.security:def:26498	P	Security update for nextcloud (Moderate)	2020-12-01
oval:org.opensuse.security:def:27959	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:26848	P	yast2-core on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32675	P	gnome-screensaver on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28530	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:26414	P	Security update for python-Django (Moderate)	2020-12-01
oval:org.opensuse.security:def:32043	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:27948	P	Security update for GraphicsMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:26804	P	perl-HTML-Parser on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32626	P	OpenEXR on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28378	P	Security update for quagga (Important)	2020-12-01
oval:org.opensuse.security:def:26357	P	Security update for enigmail (Important)	2020-12-01
oval:org.opensuse.security:def:33457	P	Security update for ipsec-tools	2020-12-01
oval:org.opensuse.security:def:31969	P	Security update for ipsec-tools (Moderate)	2020-12-01
oval:org.opensuse.security:def:28731	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:27947	P	Security update for GraphicsMagick (Low)	2020-12-01
oval:org.opensuse.security:def:26790	P	ofed on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32570	P	libtiff3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28294	P	Recommended update for ncurses (Important)	2020-12-01
oval:org.mitre.oval:def:28495	P	RHSA-2009:1036 -- ipsec-tools security update (Important)	2015-08-17
oval:org.mitre.oval:def:13740	P	DSA-1804-1 ipsec-tools -- null pointer dereference, memory leaks	2015-02-23
oval:org.mitre.oval:def:8051	P	DSA-1804 ipsec-tools -- null pointer dereference, memory leaks	2015-02-23
oval:org.mitre.oval:def:13880	P	USN-785-1 -- ipsec-tools vulnerabilities	2014-06-30
oval:org.mitre.oval:def:22832	P	ELSA-2009:1036: ipsec-tools security update (Important)	2014-05-26
oval:org.mitre.oval:def:10581	V	Multiple memory leaks in Ipsec-tools before 0.7.2 allow remote attackers to cause a denial of service (memory consumption) via vectors involving (1) signature verification during user authentication with X.509 certificates, related to the eay_check_x509sign function in src/racoon/crypto_openssl.c; and (2) the NAT-Traversal (aka NAT-T) keepalive implementation, related to src/racoon/nattraversal.c.	2013-04-29
oval:org.debian:def:1804	V	null pointer dereference, memory leaks	2009-05-20
oval:com.redhat.rhsa:def:20091036	P	RHSA-2009:1036: ipsec-tools security update (Important)	2009-05-18

BACK