Blog

Release and vulnerability announcements for strongSwan

strongSwan 5.1.1 Released

We are happy to announce the release of strongSwan 5.1.1, which brings many new and improved features and fixes two DoS vulnerabilities.

Denial-of Service Vulnerability and Potential Authorization Bypass (CVE-2013-6075)

A denial-of-service vulnerability was fixed that could be triggered by a crafted ID_DER_ASN1_DNID payload. The cause is an insufficient length check when comparing such identities. All versions since 4.3.3 are affected.

More information is provided in a separate blog entry.

Denial-of Service Vulnerability (CVE-2013-6076)

A denial-of-service vulnerability was fixed that could be triggered by a crafted IKEv1 fragmentation payload. The cause is a NULL pointer dereference. All versions since 5.0.2 are affected.

More information is provided in a separate blog entry.

Trusted Network Connect (TNC)

The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS session with a strongSwan policy enforcement point which uses the tnc-pdp charon plugin.

The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests for either full SWID Tag or concise SWID Tag ID inventories.

New EAP-RADIUS Features

The XAuth backend in eap-radius now supports multiple XAuth exchanges for different credential types and display messages. All user input gets concatenated and verified with a single User-Password RADIUS attribute on the AAA. With an AAA supporting it, one for example can implement Password+Token authentication with proper dialogs on iOS and OS X clients.

The eap-radius plugin supports forwarding of several Cisco Unity specific RADIUS attributes in corresponding configuration payloads.

IKEv1 Mode Config Push Mode

The charon daemon now supports IKEv1 Mode Config exchanges in push mode. The ipsec.conf modeconfig=push option enables it for both client and server, the same way as pluto used it.

IPsec Authentication Header (AH) Support

Using the ah ipsec.conf keyword on both IKEv1 and IKEv2 connections, charon can negotiate and install Security Associations integrity-protected by the Authentication Header protocol. Support for plain AH(+IPComp) SAs only, but not the deprecated RFC 2401 style ESP+AH bundles. Examples are provided in our test suite (e.g. ikev2/host2host-ah or ikev2/net2net-ah).

Multiple Address Ranges in left and right Options

The left and right options in ipsec.conf can take multiple address ranges and subnets. This allows connection matching against a larger set of addresses, for example to use a different connection.

Other Notable Changes

Download it from here - a more extensive changelog can be found on our wiki.