-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Release date: Monday Jun 4, 2019 Contact: team@libreswan.org PGP key: 907E790F25C1E8E561CD73B585FF4B43B30FC6F9 CVE-2019-12312: IKEv2 bogus Informational Exchange request can cause NULL pointer dereference This alert (and any possible updates) is available at the following URLs: https://libreswan.org/security/CVE-2019-12312/ The Libreswan Project was notified by user GuoJiaXing-Lab124 on github of a bug in handling bogus encrypted INFORMATIONAL packet requests sent before the IKE_AUTH exchange has completed. These packets are bogus, and libreswan attempted to send an encrypted error message without having an encryption key due to the skipped IKE_AUTH exchange. This resulted in a NULL pointer dereference, causing libreswan to crash and restart. As the impact of this vulnerability was deemed low, no CVE was requested for this vulnerability. The Libreswan Projected was notified about a CVE entry for this issue with minimal and partially incorrect information which lead to this announcement for CVE-2019-12312 which MITR can hopefully use to replace the original CVE submission text. Vulnerable versions: libreswan 3.27 Not vulnerable : libreswan 3.0 - 3.26, 3.28 and later Vulnerability information ========================= The IKEv2 protocol in normal operation starts out with an IKE_SA_INIT packet exchange, followed by an IKE_AUTH packet exchange. They IKE_AUTH exchange is encrypted with key material derived from the initial Diffie-Hellman key exchange values in IKE_SA_INIT called SKEYSEED. When libreswan received an IKE_SA_INIT, followed by an INFORMATIONAL exchange instead of an IKE_AUTH exchange, it would reject this bogus exchange. During the error path, it attempted to send an error, which for an INFORMATIONAL exchange would be encrypted. However, since IKE_AUTH had not completed, no proper encryption keys had been installed yet, and encryption of the error message would fail due to a NULL pointer dereference. libreswan would crash and restart. Exploitation ============ By continuing to send these packets, a denial of service attack is possible. This vulnerability cannot be abused for a remote code execution. Workaround ========== A possible workaround is to reconfigure IKEv2 connections to use IKEv1, using the keyword ikev2=never. However, this must be supported and allowed by the IKE peer as well. It is recommended to upgrade or patch libreswan instead of downgrading to IKEv1. History ======= - - 2019-05-12 Issue reported via github at https://github.com/libreswan/libreswan/issues/246 - - 2019-05-14 Issue fixed in git master - no CVE was deemed required - - 2019-05-?? CVE issue requested by an unknown entity (neither requester nor MITR contacted The Libreswan Project for verification) - - 2019-05-24 CVE-2019-12312 published by MITR - - 2019-06-03 The Libreswan Project informed of CVE-2019-12312 by Daniel Kahn Gillmor - - 2019-06-04 This CVE announcement posted by The Libreswan Project. Credits ======= This vulnerability was found and reported by github user GuoJiaXing-Lab124 Upgrading ========= To address this vulnerability, please upgrade to libreswan 3.28 or later. For those who cannot upgrade, a patch is provided at the above URL. The patch has also been included below for reference. About libreswan (https://libreswan.org/) ======================================== Libreswan is a free implementation of the Internet Key Exchange (IKE) protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of openswan 2.6.38. IKE is used to establish IPsec VPN connections. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN). Patch ===== diff -Naur libreswan-3.27-orig/programs/pluto/ikev2_send.c libreswan-3.27/programs/pluto/ikev2_send.c - --- libreswan-3.27-orig/programs/pluto/ikev2_send.c 2018-10-07 22:52:09.000000000 -0400 +++ libreswan-3.27/programs/pluto/ikev2_send.c 2019-06-03 19:17:39.951046484 -0400 @@ -407,6 +407,17 @@ chunk_t *ndata) { passert(md != NULL); /* always a reply */ + + /* + * The caller must have computed DH and SKEYSEED; but may not + * have authenticated (i.e., don't assume that the IKE SA has + * "established"). + */ + if (!pst->hidden_variables.st_skeyid_calculated) { + loglog(RC_LOG_SERIOUS, "Cannot send an encrypted response without SKEYSEED, dropping packet"); + return; + } + const char *const notify_name = enum_short_name(&ikev2_notify_names, ntype); enum isakmp_xchg_types exchange_type = md->hdr.isa_xchg; ====================================================================== -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAlz2mcQTHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+WqND/0U4W9g4U+wycP4SbDGF7ML7zzjnBWF qX9Ii7NCMw8pP2uNSt0DvZHwrsMFnpIPD6PuF7vNC9N9V6jDE4eltIfVG1xm6lAd GAjwMExzWJ41IuFkvC5Ibv1KlRqP0Tl/rIGYC+JnigIrkuZNqYzNuQKfICpz/liQ U3DHNBfApS+1JzX8KME/+NAtzlsa5ifTDb+NyPk8P3YC/D+BIa8Eu0XALdJ+SSgP lZ2Ovopgyq4NsjgjajTxNRh1PRd1oNsfher7CePlE5ukjCViLwJVCjU8d6waTsZ9 XmQ1ubahFlMz0q/cpxUfqdxke9cs4PIolzOOH7kxGed+xUngfzaYa06Z5/7hVvlK lGNIOeOXYScYkZIaLfzk10dUOoQPoWT4k0Vh/Npm961xZQEUilcsI2XPlzH08wqC oPtuCAPVxkdjTJTfuiEZmSoE3dKyk5Fr60bMTt3e+QtHdhgwcA2XsFaK+eZfIqaq U+QpDya3YS4ulYOMYqUYN8AtT1k7V683thUY1HDPBzWHN/eFk5S0l/7LMM48q11t OxHBGJcP8/bkvSio6yuGbsI/Hwei5Wg6Ue/zVhD1cf3ojGOdRCR1juOB3vCYY6Ra zXKnb4KeAVSSUW126RumrkbWskZXrnPExN3LYxXdZ8P0T3o/GyNRKStuLz1q+J4e UF7211pGfjtqRw== =LBA3 -----END PGP SIGNATURE-----