Vulnerability CVE-2013-7294

Vulnerability Name:

CVE-2013-7294 (CCN-90510)

Assigned:

2013-11-15

Published:

2013-11-15

Updated:

2018-01-03

Summary:

The ikev2parent_inI1outR1 function in pluto/ikev2_parent.c in libreswan before 3.7 allows remote attackers to cause a denial of service (restart) via an IKEv2 I1 notification without a KE payload.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2013-7294

Source: CCN
Type: SA56276
libreswan Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
56276

Source: SECUNIA
Type: UNKNOWN
56915

Source: OSVDB
Type: UNKNOWN
101573

Source: CCN
Type: BID-64984
Libreswan 'ikev2parent_inI1outR1()' Function Remote Denial of Service Vulnerability

Source: XF
Type: UNKNOWN
libreswan-cve20137294-dos(90510)

Source: CCN
Type: libreswan GIT Repository
SECURITY: Properly handle IKEv2 I1 notification packet without KE pay

Source: CONFIRM
Type: Exploit, Patch
https://github.com/libreswan/libreswan/commit/2899351224fe2940aec37d7656e1e392c0fe07f0

Source: MLIST
Type: Vendor Advisory
[Swan-announce] 20131211 Libreswan 3.7 released

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-7294

Vulnerable Configuration:

Configuration 1:

cpe:/a:libreswan:libreswan:3.0:*:*:*:*:*:*:*

OR cpe:/a:libreswan:libreswan:3.1:*:*:*:*:*:*:*

OR cpe:/a:libreswan:libreswan:3.2:*:*:*:*:*:*:*

OR cpe:/a:libreswan:libreswan:3.3:*:*:*:*:*:*:*

OR cpe:/a:libreswan:libreswan:3.4:*:*:*:*:*:*:*

OR cpe:/a:libreswan:libreswan:3.5:*:*:*:*:*:*:*

OR cpe:/a:libreswan:libreswan:*:*:*:*:*:*:*:* (Version <= 3.6)

Configuration CCN 1:

cpe:/a:libreswan:libreswan:3.0:*:*:*:*:*:*:*

OR cpe:/a:libreswan:libreswan:3.1:*:*:*:*:*:*:*

OR cpe:/a:libreswan:libreswan:3.6:*:*:*:*:*:*:*

OR cpe:/a:libreswan:libreswan:3.2:*:*:*:*:*:*:*

OR cpe:/a:libreswan:libreswan:3.3:*:*:*:*:*:*:*

OR cpe:/a:libreswan:libreswan:3.4:*:*:*:*:*:*:*

OR cpe:/a:libreswan:libreswan:3.5:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20137294	V	CVE-2013-7294	2022-05-20
oval:org.opensuse.security:def:33753	P	Security update for MozillaFirefox (Important)	2021-12-12
oval:org.opensuse.security:def:34604	P	Security update for speex (Moderate)	2021-12-01
oval:org.opensuse.security:def:33966	P	Security update for openexr (Important)	2021-09-02
oval:org.opensuse.security:def:29418	P	Security update for file (Important)	2021-09-02
oval:org.opensuse.security:def:33922	P	Security update for libX11 (Important)	2021-06-08
oval:org.opensuse.security:def:33898	P	Security update for gdm (Important)	2021-04-28
oval:org.opensuse.security:def:34644	P	Security update for grub2 (Important)	2021-03-02
oval:org.opensuse.security:def:29475	P	Security update for java-1_8_0-ibm (Important)	2021-02-26
oval:org.opensuse.security:def:33810	P	Security update for ghostscript-library (Moderate)	2020-12-01
oval:org.opensuse.security:def:33142	P	libcap-progs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:30592	P	Security update for openswan	2020-12-01
oval:org.opensuse.security:def:29713	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:33356	P	Security update for openssl1 (Important)	2020-12-01
oval:org.opensuse.security:def:29121	P	Security update for java-1_7_0-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:29816	P	Security update for jasper (Moderate)	2020-12-01
oval:org.opensuse.security:def:33508	P	Security update for OpenSSL	2020-12-01
oval:org.opensuse.security:def:29201	P	Security update for openssl (Important)	2020-12-01
oval:org.opensuse.security:def:29873	P	Security update for kernel-source (Important)	2020-12-01
oval:org.opensuse.security:def:33131	P	kvm on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:30555	P	Security update for PostgreSQL	2020-12-01
oval:org.opensuse.security:def:33859	P	Security update for jakarta-commons-collections (Moderate)	2020-12-01
oval:org.opensuse.security:def:29560	P	Security update for NetworkManager	2020-12-01
oval:org.opensuse.security:def:33221	P	pam on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29120	P	Security update for java-1_7_0-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:29767	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:33451	P	Security update for GNOME screensaver	2020-12-01
oval:org.opensuse.security:def:29132	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:29855	P	Security update for the Linux Kernel	2020-12-01
oval:org.opensuse.security:def:33596	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:29332	P	Security update for compat-openssl097g (Moderate)	2020-12-01
oval:org.opensuse.security:def:33130	P	krb5-plugin-kdb-ldap on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29917	P	Security update for libdb-4_5 (Moderate)	2020-12-01
oval:org.mitre.oval:def:25475	P	SUSE-SU-2014:0178-1 -- Security update for openswan	2014-09-08

BACK