-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Release date: Tuesday, February 28, 2023 Contact: security@libreswan.org PGP key: 907E790F25C1E8E561CD73B585FF4B43B30FC6F9 ========================================================================= CVE-2023-23009: Malicious IKEv2 TS payload can cause libreswan to restart ========================================================================= This alert (and any updates) are available at the following URLs: https://libreswan.org/security/CVE-2023-23009/ The Libreswan Project was notified by github user "zhaodl" of an issue with receiving a malformed IKEv2 packet that would cause a crash and restart of the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack. Vulnerable versions: libreswan 4.2 - 4.9 Not vulnerable : libreswan 3.x, 4.0, 4.1 and 4.10+ Vulnerability information ========================= A change in the libreswan 4.2 Traffic Selector parsing code introduced a missing check that would reject palformed Traffic Selector payloads. As such, in such case the code stumbles on to hit a double free, leading to a crash and restart of the pluto daemon. No remote code execution is possible. Exploitation ============ This vulnerability requires the remote peer to first have successfully authenticated with libreswan, as the vulnerable code is executed after peer authentication. Unless Opportunistic Encryption or NULL authentication connections are configured, only peers explicitely authorized to connect that cause this crash to happen. Workaround ========== If malicious users are triggering this bug, these users can be prevented from furth access. If X.509 certificates are used, these certificates can be revoked. Otherwise, the ikev2-authorize= can be configured to deny these users further access. History ======= * 2022-12-20 Initial report via https://github.com/libreswan/libreswan/issues/954 * 2023-02-28 Release of patch and libreswan 4.10 Credits ======= This vulnerability was found and reported by github user zhaodl. Upgrading ========= To address this vulnerability, please upgrade to libreswan 4.10 or later. For those who cannot upgrade, patches are provided at the above URL, and are included for reference below. About libreswan (https://libreswan.org/) ======================================== Libreswan is a free implementation of the Internet Key Exchange (IKE) protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of openswan 2.6.38. IKE is used to establish IPsec VPN connections. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN). Patches ======= Please note that email clients might mangle the patch text included. Please use the above advisory URL to download a proper patch file. =============================== Patch for libreswan 4.4 to 4.9 =============================== diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c index 3f7519ca38..f06c40ba46 100644 - - - --- a/programs/pluto/ikev2_ts.c +++ b/programs/pluto/ikev2_ts.c @@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd, d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc, &ts_h, sizeof(ts_h), &ts_body_pbs); + if (d != NULL) { + llog_diag(RC_LOG, logger, &d, "%s", ""); + return false; + } + switch (ts_h.isath_type) { case IKEv2_TS_IPV4_ADDR_RANGE: case IKEv2_TS_IPV6_ADDR_RANGE: =============================== Patch for libreswan 4.2 to 4.3 =============================== diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c index 3f7519ca38..f06c40ba46 100644 - - - --- a/programs/pluto/ikev2_ts.c +++ b/programs/pluto/ikev2_ts.c @@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd, d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc, &ts_h, sizeof(ts_h), &ts_body_pbs); + if (d != NULL) { + log_diag(RC_LOG, logger, &d, "%s", ""); + return false; + } + switch (ts_h.isath_type) { case IKEv2_TS_IPV4_ADDR_RANGE: case IKEv2_TS_IPV6_ADDR_RANGE: -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmQBQmATHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+efVD/9WRaHxF/nioiDkwmGW21ubXzbGcKe/ 1a7HFC2qSjdbf2/sNol3hIw195s0fP6KiWqPg/uy4lO2baWKvMkqagnoHChHAC75 ZugDOVBu6Yc3KJtADchSa4CoGCZsDxJcVnke0H2+TNrAvMZyxe2/TIE9ZNYT6tMA t/IVr3SmeG3WtSKtNCCE85ZgpBTvwyAsWPWKgaDC7HtOMPJWBVXCnt22B0QM4FFI gurhU/wCv9Bah+EDsrRo5LtfvlwxwIwDVnmn8v+Bz/C6gKDcDP4cIjV2bCgkFewp aWTPD8fVWAc16Fe00eHln/XWzUEr+2iynmS78D5PRB2mnF3/m5FtKe7yxmgs2VzG TWDrhdaJmK8gnHjffwd8+ft5/8zk8oV83zZ1AqtWJXBHbuEGpAILXyw4pIVA0v6a 1hOGMT74GLS/wGrsxaiS8imi8mb3AttdytNfdqmJ+ZHdyKgZIY0ZmtXwlfcjgHfm WO6P9d77ohXAGLfhVPRAr4DpeMJJ/k6v2QE3D/MmYcgBkfR0Yu2/I76xa2L3956R IBJu1FEYL6MQXbxPStn0QLLuGzUGzCvuPhDOaJCFvAUdIqLDvNSE6j6fw2w4xPY7 OQRjDblKd/noLuNXJxP7GOplxhViToX+H/JJ3fGsG/dnbQE3pZY+qJbZ0kttA0SK ItaDy40Ey5Ht2Q== =wgcG -----END PGP SIGNATURE-----