James Steidl - Fotolia
A vulnerability discovered in strongSwan's open source VPN can be used to cause a buffer underflow. What is a buffer underflow vulnerability and how can it be exploited by attackers?
A buffer underflow, or buffer underwrite, vulnerability can be used to enable a denial-of-service attack via resource exhaustion. This type of vulnerability occurs when a buffer communicates between two devices, processes data or is fed data at a lower speed than it is being read from. A program reading from the buffer underflow pauses the process while the buffer refills.
Likewise, a pointer or an index that references a memory location is decreased by one or more points or indices. The pointer is then moved back to a position before the buffer begins refilling and it is placed before the beginning of the valid memory location or it is placed when a negative index is used. This is in contrast to a buffer overflow, which occurs when a portion of the memory has a fixed size but an attempt is made to fill it with more than the amount of data the buffer can handle.
In this case, unpatched versions of strongSwan, an open source VPN, exposed this buffer underflow vulnerability. The underflow vulnerability can be traced to stroke_socket.c, a strongSwan plug-in written in C language.
StrongSwan VPN's Charon server, prior to version 5.6.3, does not check packet length when the inbound packets in the socket are being read. The default buffer size is determined by the operating system and an insufficient packet length can occur during a VPN connection that's being buffered between two processes with other processes competing for CPU time or bandwidth.
The strongSwan VPN offers a utility called stroke, which is used to monitor the VPN's IPsec connections. When the length of a stroke message is invalid, a buffer underflow occurs.
However, to cause a buffer underflow, a remote attacker must have local root permissions to access the socket. The attacker could be a normal user in other accounts or groups, such as root or a VPN group that has sufficient permissions, as user permissions are determined by the VPN group policies established by an administrator on most operating systems, according to a CERT vulnerability note.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on VPN security
Related Q&A from Judith Myerson
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading
An exploit code for Dirty COW was accidentally shipped by Cisco with product software. Learn how this code ended up in a software release and what ... Continue Reading
Cisco's Webex Meetings platform had to be re-patched after researchers found the first one was failing. Discover what went wrong with the first patch... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.