Florian Picca reported a bug the charon-tkm daemon in strongSwan an IKE/IPsec suite.
The TKM-backed version of the charon IKE daemon (charon-tkm) doesn't check the length of received Diffie-Hellman public values before copying them to a fixed-size buffer on the stack, causing a buffer overflow that could potentially be exploited for remote code execution by sending a specially crafted and unauthenticated IKE_SA_INIT message.
https://security-tracker.debian.org/tracker/DSA-5560-1
Continue reading...
The TKM-backed version of the charon IKE daemon (charon-tkm) doesn't check the length of received Diffie-Hellman public values before copying them to a fixed-size buffer on the stack, causing a buffer overflow that could potentially be exploited for remote code execution by sending a specially crafted and unauthenticated IKE_SA_INIT message.
https://security-tracker.debian.org/tracker/DSA-5560-1
Continue reading...