Project

General

Profile

Security and Functional Flaw Reporting » History » Version 13

Andreas Steffen, 27.04.2018 12:11
New PGP key

1 1 Andreas Steffen
h1. Security and Functional Flaw Reporting
2 1 Andreas Steffen
3 1 Andreas Steffen
h2. Security Flaws
4 1 Andreas Steffen
5 10 Andreas Steffen
h3. Reporting
6 1 Andreas Steffen
7 13 Andreas Steffen
   * Please email any security-relevant flaw to the special mail account *security@strongswan.org*. Whenever possible encrypt your posting using the "PGP key":http://pgp.key-server.io/0x1EB41ECF25A536E4g for the *security@strongswan.org* account.
8 10 Andreas Steffen
9 10 Andreas Steffen
h3. Severity Classification
10 10 Andreas Steffen
11 12 Andreas Steffen
 * *High Severity Flaw*
12 10 Andreas Steffen
13 10 Andreas Steffen
   * Allows remote access to the VPN with improper, missing, or invalid credentials
14 10 Andreas Steffen
15 10 Andreas Steffen
   * Allows local escalation of privileges on the server
16 10 Andreas Steffen
17 10 Andreas Steffen
   * Plain text traffic on the secure interface
18 10 Andreas Steffen
19 10 Andreas Steffen
   * Key generation and crypto flaws that reduce the difficulty in decrypting secure traffic
20 10 Andreas Steffen
21 12 Andreas Steffen
 * *Medium Severity Flaw*
22 10 Andreas Steffen
23 12 Andreas Steffen
   * Remotely crashing the strongSwan daemon which would allow DoS attacks on the VPN service
24 10 Andreas Steffen
25 12 Andreas Steffen
* *Low Severity Flaw*
26 10 Andreas Steffen
27 10 Andreas Steffen
   * All other minor issues not directly compromising security or availability of the strongSwan daemon or the host the daemon is running on
28 10 Andreas Steffen
29 11 Andreas Steffen
h3. Action Taken
30 10 Andreas Steffen
31 9 Tobias Brunner
 * For *high* and *medium* severity vulnerabilities we are going to apply for a "CVE Identifier":http://cve.mitre.org/cve/identifiers/ first. Next we notify all known strongSwan customers and the major Linux distributions, giving them a time of about three weeks to patch their software release. On a predetermined date we officially issue an advisory and a patch for the vulnerability and usually a new stable strongSwan release containing the security fix. Also the CVE entry will be published.
32 7 Andreas Steffen
33 1 Andreas Steffen
 * Minor vulnerabilities  of *low* severity usually will be fixed immediately and the corresponding patch will be posted on the strongSwan mailing list.
34 10 Andreas Steffen
35 11 Andreas Steffen
h3. List of Reported and Fixed Security Flaws
36 7 Andreas Steffen
37 6 Andreas Steffen
 * Here is the list of all reported strongSwan high and medium security flaws registered in the "CVE database":http://web.nvd.nist.gov/view/vuln/search-results?query=strongswan which were fixed by the following "security patches":http://download.strongswan.org/security/.
38 4 Andreas Steffen
39 1 Andreas Steffen
h2. Functional Flaws
40 1 Andreas Steffen
41 2 Andreas Steffen
 * Please report all non-security-related flaws and bugs by opening a "new issue":http://wiki.strongswan.org/projects/strongswan/issues/new in our wiki. If you don't have a user account yet, please "register":http://wiki.strongswan.org/account/register first.
42 3 Andreas Steffen
43 3 Andreas Steffen
 * Our Redmine Tracker classifies user issues into the following three categories:
44 1 Andreas Steffen
45 4 Andreas Steffen
   * *Issue*:  Please choose this generic category if you are not sure whether your problem is caused by a strongSwan misconfiguration, an interoperability problem with third party VPN software or an actual bug in the strongSwan code. We are going to reclassify your report after a first analysis.
46 3 Andreas Steffen
47 1 Andreas Steffen
   * *Feature*:  Please choose this category for requesting new features that we might implement in future versions of the strongSwan software.
48 3 Andreas Steffen
49 4 Andreas Steffen
   * *Bug*:  Please post under this category only if you are quite sure that you identified a bug in the strongSwan code, e.g. if the charon daemon crashes which it shouldn't. Of course it is helpful if you can already pinpoint the code file where you suspect the bug or in the case of a crash to provide a backtrack analysis of the core dump. User patches fixing flaws are always welcome.