CVE-2021-41990
📋 TL;DR
CVE-2021-41990 is an integer overflow vulnerability in the gmp plugin of strongSwan VPN software. Attackers can trigger this by sending a specially crafted certificate with an RSASSA-PSS signature, potentially causing denial of service. This affects strongSwan installations using the gmp plugin before version 5.9.4.
💻 Affected Systems
- strongSwan VPN
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Strongswan by Strongswan
⚠️ Risk & Real-World Impact
Worst Case
Remote denial of service causing strongSwan service crash, disrupting VPN connectivity for all users
Likely Case
Service crash requiring manual restart, temporary VPN outage
If Mitigated
No impact if gmp plugin is disabled or system is patched
🎯 Exploit Status
Exploitation requires sending crafted certificates during VPN handshake. No public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.9.4
Vendor Advisory: https://github.com/strongswan/strongswan/releases/tag/5.9.4
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download strongSwan 5.9.4 or later from official repository. 3. Compile and install following strongSwan documentation. 4. Restart strongSwan services.
🔧 Temporary Workarounds
Disable gmp plugin
linuxSwitch to alternative cryptographic plugin like openssl
Edit strongSwan configuration to remove or comment out 'load = gmp'
Change to 'load = openssl' or other supported plugin
🧯 If You Can't Patch
- Implement network segmentation to restrict access to VPN endpoints
- Use certificate pinning or strict certificate validation policies
🔍 How to Verify
Check if Vulnerable:
Check strongSwan version and gmp plugin status: 'strongswan --version' and review configuration files for gmp plugin usageCheck Version:
strongswan --versionVerify Fix Applied:
Confirm version is 5.9.4 or later: 'strongswan --version | grep -i strongswan'📡 Detection & Monitoring
Log Indicators:
- Unexpected strongSwan service crashes
- Certificate validation errors in VPN logs
- Connection failures during handshake
Network Indicators:
- Unusual certificate sizes or formats in VPN traffic
- Multiple failed connection attempts with malformed certificates
SIEM Query:
source="strongswan" AND (event="crash" OR event="error" AND message="certificate" AND message="overflow")🔗 References
- https://cert-portal.siemens.com/productcert/pdf/ssa-539476.pdf
- https://github.com/strongswan/strongswan/releases/tag/5.9.4
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5FJSATD2R2XHTG4P63GCMQ2N7EWKMME5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQSQ3BEC22NF4NCDZVCT4P3Q2ZIAJXGJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3TQ32JLJOBJDB2EJKSX2PBPB5NFG2D4/
- https://www.debian.org/security/2021/dsa-4989
- https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-%28cve-2021-41990%29.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-539476.pdf
- https://github.com/strongswan/strongswan/releases/tag/5.9.4
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5FJSATD2R2XHTG4P63GCMQ2N7EWKMME5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQSQ3BEC22NF4NCDZVCT4P3Q2ZIAJXGJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3TQ32JLJOBJDB2EJKSX2PBPB5NFG2D4/
- https://www.debian.org/security/2021/dsa-4989
- https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-%28cve-2021-41990%29.html
