Release date: Tuesday, February 28, 2023 Contact: security@libreswan.org PGP key: 907E790F25C1E8E561CD73B585FF4B43B30FC6F9 ========================================================================= CVE-2023-23009: Malicious IKEv2 TS payload can cause libreswan to restart ========================================================================= This alert (and any updates) are available at the following URLs: https://libreswan.org/security/CVE-2023-23009/ The Libreswan Project was notified by github user "zhaodl" of an issue with receiving a malformed IKEv2 packet that would cause a crash and restart of the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack. Vulnerable versions: libreswan 4.2 - 4.9 Not vulnerable : libreswan 3.x, 4.0, 4.1 and 4.10+ Vulnerability information ========================= A change in the libreswan 4.2 Traffic Selector parsing code introduced a missing check that would reject palformed Traffic Selector payloads. As such, in such case the code stumbles on to hit a double free, leading to a crash and restart of the pluto daemon. No remote code execution is possible. Exploitation ============ This vulnerability requires the remote peer to first have successfully authenticated with libreswan, as the vulnerable code is executed after peer authentication. Unless Opportunistic Encryption or NULL authentication connections are configured, only peers explicitely authorized to connect that cause this crash to happen. Workaround ========== If malicious users are triggering this bug, these users can be prevented from furth access. If X.509 certificates are used, these certificates can be revoked. Otherwise, the ikev2-authorize= can be configured to deny these users further access. History ======= * 2022-12-20 Initial report via https://github.com/libreswan/libreswan/issues/954 * 2023-02-28 Release of patch and libreswan 4.10 Credits ======= This vulnerability was found and reported by github user zhaodl. Upgrading ========= To address this vulnerability, please upgrade to libreswan 4.10 or later. For those who cannot upgrade, patches are provided at the above URL, and are included for reference below. About libreswan (https://libreswan.org/) ======================================== Libreswan is a free implementation of the Internet Key Exchange (IKE) protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of openswan 2.6.38. IKE is used to establish IPsec VPN connections. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN). Patches ======= Please note that email clients might mangle the patch text included. Please use the above advisory URL to download a proper patch file. =============================== Patch for libreswan 4.4 to 4.9 =============================== diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c index 3f7519ca38..f06c40ba46 100644 - - --- a/programs/pluto/ikev2_ts.c +++ b/programs/pluto/ikev2_ts.c @@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd, d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc, &ts_h, sizeof(ts_h), &ts_body_pbs); + if (d != NULL) { + llog_diag(RC_LOG, logger, &d, "%s", ""); + return false; + } + switch (ts_h.isath_type) { case IKEv2_TS_IPV4_ADDR_RANGE: case IKEv2_TS_IPV6_ADDR_RANGE: =============================== Patch for libreswan 4.2 to 4.3 =============================== diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c index 3f7519ca38..f06c40ba46 100644 - - --- a/programs/pluto/ikev2_ts.c +++ b/programs/pluto/ikev2_ts.c @@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd, d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc, &ts_h, sizeof(ts_h), &ts_body_pbs); + if (d != NULL) { + log_diag(RC_LOG, logger, &d, "%s", ""); + return false; + } + switch (ts_h.isath_type) { case IKEv2_TS_IPV4_ADDR_RANGE: case IKEv2_TS_IPV6_ADDR_RANGE: