-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE-2016-3071: IKEv2 aes_xcbc transform causes restart of IKE daemon https://distributedweaknessfiling.org/CVE-2016-3071 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3071 This alert (and any possible updates) is available at the following URLs: https://libreswan.org/security/CVE-2016-3071/ The Libreswan Project found a bug in the default proposal set for IKEv2. This code, introduced in version 3.16, includes the AES_XCBC integrity algorithm. It wrongly assumes that the NSS cryptographic library supports this algorithm. As a result, the IKE daemon crashes and restarts when the aes_xcbc transform is selected. No remote code execution is possible. Vulnerable versions: 3.16 Not vulnerable : 3.15 and earlier, 3.17 and later Vulnerability information ========================= The default IKEv2 proposal set was amended for libreswan version 3.16. It wrongly includes the aes_xcbc transform which is not supported in the current NSS cryptographic library. An IKEv2 negotiation resulting in using aes_xcbc causes the IKE daemon to crash and restart. Exploitation ============ This denial of service can be launched by anyone using a single IKE packet. No authentication credentials are required. No remote code execution is possible through this vulnerability. Libreswan automatically restarts when it crashes. Workaround ========== Only connections that use IKEv2 with the default proposal set are affected, as the aes_xcbc transform cannot be specified in the ike= configuration. Setting a configuration line will cause the default proposal set to be ignored. For example, setting ike=aes-sha2 will prevent the crash. Care should be taken to specify an IKE algorithm that is supported and allowed by the peer as well. Another workaround is to require IKEv1 by setting ikev2=no. Patches ======= Patches for libreswan version 3.16 and 3.17rc2 are available at: https://libreswan.org/security/CVE-2016-3071/ The patch for 3.16 is included at the end of this advisory. Note that email clients of web browsers might mangle the patch included with this notice. Credits ======= This vulnerability was found by The Libreswan Project About libreswan (https://libreswan.org/) ======================================== Libreswan is a free implementation of the Internet Protocol Security (IPsec) suite and Internet Key Exchange (IKE) protocols. It is a descendant (fork) of openswan 2.6.38. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN). ============================================================================= diff --git a/programs/pluto/spdb.c b/programs/pluto/spdb.c index 8ec60ec..b64e466 100644 - --- a/programs/pluto/spdb.c +++ b/programs/pluto/spdb.c @@ -209,13 +209,6 @@ static struct db_attr otpsk1536aes128sha2[] = { { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP1536 }, { .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 }, }; - -static struct db_attr otpsk1536aes128xaes[] = { - - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, - - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC }, - - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_PRESHARED_KEY }, - - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP1536 }, - - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 }, - -}; static struct db_attr otpsk1536aes256sha1[] = { { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_SHA1 }, @@ -230,13 +223,6 @@ static struct db_attr otpsk1536aes256sha2[] = { { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP1536 }, { .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 }, }; - -static struct db_attr otpsk1536aes256xaes[] = { - - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, - - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC }, - - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_PRESHARED_KEY }, - - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP1536 }, - - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 }, - -}; static struct db_attr otpsk2048aes128sha1[] = { { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, @@ -252,13 +238,6 @@ static struct db_attr otpsk2048aes128sha2[] = { { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048 }, { .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 }, }; - -static struct db_attr otpsk2048aes128xaes[] = { - - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, - - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC }, - - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_PRESHARED_KEY }, - - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048 }, - - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 }, - -}; static struct db_attr otpsk2048aes256sha1[] = { { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_SHA1 }, @@ -273,13 +252,6 @@ static struct db_attr otpsk2048aes256sha2[] = { { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048 }, { .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 }, }; - -static struct db_attr otpsk2048aes256xaes[] = { - - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, - - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC }, - - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_PRESHARED_KEY }, - - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048 }, - - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 }, - -}; static struct db_attr otpsk2048aes16gcm128sha1[] = { { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_GCM_16 }, @@ -552,13 +524,6 @@ static struct db_attr otnull2048aes128sha2[] = { { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048 }, { .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 }, }; - -static struct db_attr otnull2048aes128xaes[] = { - - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, - - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC }, - - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_AUTH_NULL }, - - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048 }, - - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 }, - -}; static struct db_attr otnull2048aes256sha1[] = { { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_SHA1 }, @@ -573,13 +538,6 @@ static struct db_attr otnull2048aes256sha2[] = { { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048 }, { .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 }, }; - -static struct db_attr otnull2048aes256xaes[] = { - - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, - - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC }, - - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_AUTH_NULL }, - - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048 }, - - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 }, - -}; static struct db_attr otnull2048aes16gcm128sha1[] = { { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_GCM_16 }, @@ -751,13 +709,6 @@ static struct db_attr otrsasig1536aes128sha2[] = { { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP1536 }, { .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 }, }; - -static struct db_attr otrsasig1536aes128xaes[] = { - - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, - - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC }, - - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_RSA_SIG }, - - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP1536 }, - - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 }, - -}; static struct db_attr otrsasig1536aes256sha1[] = { { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_SHA1 }, @@ -772,13 +723,6 @@ static struct db_attr otrsasig1536aes256sha2[] = { { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP1536 }, { .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 }, }; - -static struct db_attr otrsasig1536aes256xaes[] = { - - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, - - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC }, - - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_RSA_SIG }, - - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP1536 }, - - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 }, - -}; static struct db_attr otrsasig2048aes128sha1[] = { { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, @@ -794,13 +738,6 @@ static struct db_attr otrsasig2048aes128sha2[] = { { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048 }, { .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 }, }; - -static struct db_attr otrsasig2048aes128xaes[] = { - - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, - - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC }, - - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_RSA_SIG }, - - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048 }, - - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 }, - -}; static struct db_attr otrsasig2048aes256sha1[] = { { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_SHA1 }, @@ -815,13 +752,6 @@ static struct db_attr otrsasig2048aes256sha2[] = { { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048 }, { .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 }, }; - -static struct db_attr otrsasig2048aes256xaes[] = { - - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC }, - - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC }, - - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_RSA_SIG }, - - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048 }, - - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 }, - -}; static struct db_attr otrsasig2048aes16gcm128sha1[] = { { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_GCM_16 }, @@ -1476,27 +1406,23 @@ static struct db_trans IKEv2_oakley_trans_psk[] = { /* * IKEv2 proposal #2: * AES_CBC[256] - - * SHA1, SHA2_256, AES_XCBC + * SHA1, SHA2_256 * MODP1536, MODP2048 */ { AD_TR(KEY_IKE, otpsk1536aes256sha1) }, { AD_TR(KEY_IKE, otpsk1536aes256sha2) }, - - { AD_TR(KEY_IKE, otpsk1536aes256xaes) }, { AD_TR(KEY_IKE, otpsk2048aes256sha1) }, { AD_TR(KEY_IKE, otpsk2048aes256sha2) }, - - { AD_TR(KEY_IKE, otpsk2048aes256xaes) }, /* * IKEv2 proposal #3: * AES_CBC[256] - - * SHA1, SHA2_256, AES_XCBC + * SHA1, SHA2_256 * MODP1536, MODP2048 */ { AD_TR(KEY_IKE, otpsk1536aes128sha1) }, { AD_TR(KEY_IKE, otpsk1536aes128sha2) }, - - { AD_TR(KEY_IKE, otpsk1536aes128xaes) }, { AD_TR(KEY_IKE, otpsk2048aes128sha1) }, { AD_TR(KEY_IKE, otpsk2048aes128sha2) }, - - { AD_TR(KEY_IKE, otpsk2048aes128xaes) }, }; static struct db_trans IKEv2_oakley_trans_null[] = { @@ -1529,21 +1455,19 @@ static struct db_trans IKEv2_oakley_trans_null[] = { /* * IKEv2 proposal #2: * AES_CBC[256] - - * SHA1, SHA2_256, AES_XCBC + * SHA1, SHA2_256 * MODP2048 */ { AD_TR(KEY_IKE, otnull2048aes256sha1) }, { AD_TR(KEY_IKE, otnull2048aes256sha2) }, - - { AD_TR(KEY_IKE, otnull2048aes256xaes) }, /* * IKEv2 proposal #3: * AES_CBC[256] - - * SHA1, SHA2_256, AES_XCBC + * SHA1, SHA2_256 * MODP2048 */ { AD_TR(KEY_IKE, otnull2048aes128sha1) }, { AD_TR(KEY_IKE, otnull2048aes128sha2) }, - - { AD_TR(KEY_IKE, otnull2048aes128xaes) }, }; static struct db_trans IKEv2_oakley_trans_rsasig[] = { @@ -1576,27 +1500,23 @@ static struct db_trans IKEv2_oakley_trans_rsasig[] = { /* * IKEv2 proposal #2: * AES_CBC[256] - - * SHA1, SHA2_256, AES_XCBC + * SHA1, SHA2_256 * MODP1536, MODP2048 */ { AD_TR(KEY_IKE, otrsasig1536aes256sha1) }, { AD_TR(KEY_IKE, otrsasig1536aes256sha2) }, - - { AD_TR(KEY_IKE, otrsasig1536aes256xaes) }, { AD_TR(KEY_IKE, otrsasig2048aes256sha1) }, { AD_TR(KEY_IKE, otrsasig2048aes256sha2) }, - - { AD_TR(KEY_IKE, otrsasig2048aes256xaes) }, /* * IKEv2 proposal #3: * AES_CBC[256] - - * SHA1, SHA2_256, AES_XCBC + * SHA1, SHA2_256 * MODP1536, MODP2048 */ { AD_TR(KEY_IKE, otrsasig1536aes128sha1) }, { AD_TR(KEY_IKE, otrsasig1536aes128sha2) }, - - { AD_TR(KEY_IKE, otrsasig1536aes128xaes) }, { AD_TR(KEY_IKE, otrsasig2048aes128sha1) }, { AD_TR(KEY_IKE, otrsasig2048aes128sha2) }, - - { AD_TR(KEY_IKE, otrsasig2048aes128xaes) }, }; /* In this table, either PSK or RSA sig is accepted. @@ -1647,39 +1567,31 @@ static struct db_trans IKEv2_oakley_trans_pskrsasig[] = { /* * IKEv2 proposal #2: * AES_CBC[256] - - * SHA1, SHA2_256, AES_XCBC + * SHA1, SHA2_256 * MODP1536, MODP2048 */ { AD_TR(KEY_IKE, otrsasig1536aes256sha1) }, { AD_TR(KEY_IKE, otpsk1536aes256sha1) }, { AD_TR(KEY_IKE, otrsasig1536aes256sha2) }, { AD_TR(KEY_IKE, otpsk1536aes256sha2) }, - - { AD_TR(KEY_IKE, otrsasig1536aes256xaes) }, - - { AD_TR(KEY_IKE, otpsk1536aes256xaes) }, { AD_TR(KEY_IKE, otrsasig2048aes256sha1) }, { AD_TR(KEY_IKE, otpsk2048aes256sha1) }, { AD_TR(KEY_IKE, otrsasig2048aes256sha2) }, { AD_TR(KEY_IKE, otpsk2048aes256sha2) }, - - { AD_TR(KEY_IKE, otrsasig2048aes256xaes) }, - - { AD_TR(KEY_IKE, otpsk2048aes256xaes) }, /* * IKEv2 proposal #3: * AES_CBC[256] - - * SHA1, SHA2_256, AES_XCBC + * SHA1, SHA2_256 * MODP1536, MODP2048 */ { AD_TR(KEY_IKE, otrsasig1536aes128sha1) }, { AD_TR(KEY_IKE, otpsk1536aes128sha1) }, { AD_TR(KEY_IKE, otrsasig1536aes128sha2) }, { AD_TR(KEY_IKE, otpsk1536aes128sha2) }, - - { AD_TR(KEY_IKE, otrsasig1536aes128xaes) }, - - { AD_TR(KEY_IKE, otpsk1536aes128xaes) }, { AD_TR(KEY_IKE, otrsasig2048aes128sha1) }, { AD_TR(KEY_IKE, otpsk2048aes128sha1) }, { AD_TR(KEY_IKE, otrsasig2048aes128sha2) }, { AD_TR(KEY_IKE, otpsk2048aes128sha2) }, - - { AD_TR(KEY_IKE, otrsasig2048aes128xaes) }, - - { AD_TR(KEY_IKE, otpsk2048aes128xaes) }, }; /* -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXAovfAAoJEIX/S0OzD8b5rWEP/A07d5e+lXlpJXSCRHp9X4V7 CjYYunZ2GSJOIO5BXyI+pvXGRvDY5LxuD/McpiHlfG5E5VgbX5YZAVFaaKeKuWif MGggUWDK5a4AZtHhKCxgUiPHm7ejJ2if10+1t/gnnTVl4l2PUyMuqEFle6+OxBFf Ult1cOT4YqxLQ0JZAs/DB7wlGJNrvjAzQAi5WhMiFl8hUPKut9E4hugxyND/Ihg8 j42gqOOULEQfYwy1r0vP0piVi9KE/H/eLsthsPauatEUVlZyH4XU8LvEXtOrTaE2 e49nGjkx+Q/NPYGGkPh/jUvaFoDihKnt2yxcSijBKTjqAATcqygSdqRpwZX+UEYP wG1K0SQKlYLxOKxvARbfuTFfwMHi0hSgjWC2aUSZAJM+o4sgPSx0QdcytWom2/x3 p3tLnM6L49185m69uYB+aaU3pbtM+pprQYuVtpxAQPqknkBdwX0X5jV7hj156DA2 LUOVl7O3qjJs3eGqwFfv/z2FV9TJutMV3XaOuZFqqQ6y0uMMjou/uHWQRUaYl1lb jyt+Q8e1svWnvJvFlFw1A/yyE/0xdceic5G2gglPMH05MT+rAGv/nhzwYzDW9FRE P2V1qKromUGbCz0QaMwqzxm4IOpYzr/g3hSi1olvTGg/m0Nz06tfedDgEFMTYkRt 8gAeqm2y0+nTt3epTiuY =BuJ/ -----END PGP SIGNATURE-----