James Steidl - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How can attackers exploit a buffer underflow vulnerability?

A buffer underflow was found to be caused by a vulnerability in strongSwan's open source VPN. Learn how this is possible and how attackers can exploit it with Judith Myerson.

A vulnerability discovered in strongSwan's open source VPN can be used to cause a buffer underflow. What is a buffer underflow vulnerability and how can it be exploited by attackers?

A buffer underflow, or buffer underwrite, vulnerability can be used to enable a denial-of-service attack via resource exhaustion. This type of vulnerability occurs when a buffer communicates between two devices, processes data or is fed data at a lower speed than it is being read from. A program reading from the buffer underflow pauses the process while the buffer refills.

Likewise, a pointer or an index that references a memory location is decreased by one or more points or indices. The pointer is then moved back to a position before the buffer begins refilling and it is placed before the beginning of the valid memory location or it is placed when a negative index is used. This is in contrast to a buffer overflow, which occurs when a portion of the memory has a fixed size but an attempt is made to fill it with more than the amount of data the buffer can handle.

In this case, unpatched versions of strongSwan, an open source VPN, exposed this buffer underflow vulnerability. The underflow vulnerability can be traced to stroke_socket.c, a strongSwan plug-in written in C language.

StrongSwan VPN's Charon server, prior to version 5.6.3, does not check packet length when the inbound packets in the socket are being read. The default buffer size is determined by the operating system and an insufficient packet length can occur during a VPN connection that's being buffered between two processes with other processes competing for CPU time or bandwidth.

The strongSwan VPN offers a utility called stroke, which is used to monitor the VPN's IPsec connections. When the length of a stroke message is invalid, a buffer underflow occurs.

However, to cause a buffer underflow, a remote attacker must have local root permissions to access the socket. The attacker could be a normal user in other accounts or groups, such as root or a VPN group that has sufficient permissions, as user permissions are determined by the VPN group policies established by an administrator on most operating systems, according to a CERT vulnerability note.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

This was last published in September 2018

Dig Deeper on VPN security