-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Release date: Monday, August 8, 2023 Contact: security@libreswan.org PGP key: 907E790F25C1E8E561CD73B585FF4B43B30FC6F9 =========================================================================== CVE-2023-38711: Invalid IKEv1 Quick Mode ID causes restart =========================================================================== This alert (and any patch files and updates) are available at: https://libreswan.org/security/CVE-2023-38711/ The Libreswan Project was notified by "X1AOxiang" of an issue with receiving a malformed IKEv1 Quick Mode packet which would cause a crash and restart of the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack. Severity: Medium Vulnerable versions : libreswan 4.6 - 4.11 Not vulnerable : libreswan 3.0 - 4.5, 4.12+ Vulnerability information ========================= When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or ID_IPV6_ADDR, receives an IDcr payload with ID_FQDN, a null pointer dereference causes a crash and restart of the pluto daemon. Exploitation ============ IKEv1 Quick Mode requests are only processed when received from authenticated peers, limiting the scope of possible attackers to peers who have successfully authenticated. Workaround ========== There is no workarounds, although in general IKEv1 users are recommended to migrate to IKEv2 (see also RFC 9395: Deprecation of IKE Version 1). Please apply the supplied patches or upgrade. History ======= * 2021-10-09 Vulnerable code introduced in libreswan 4.6 * 2023-06-18 Report received via https://github.com/libreswan/libreswan/issues/1172 * 2023-07-19 Prerelease of CVE notification and patches to support customers * 2023-08-04 Updated patch based on feedback by Wolfgang Nothdurft * 2023-08-04 Release of patch and libreswan 4.12 Credits ======= This vulnerability was found and reported by X1AOxiang. Upgrading ========= To address this vulnerability, please upgrade to libreswan 4.12 or later. For those who cannot upgrade, patches are provided at the above URL. About libreswan (https://libreswan.org/) ======================================== Libreswan is a free implementation of the Internet Key Exchange (IKE) protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of openswan 2.6.38. IKE is used to establish IPsec VPN connections. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN). Patches ======= Due to the size of the patch, it is not included inline to this advisory, but are available at https://libreswan.org/security/CVE-2023-38711/ -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmTSX8gTHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+SdTEACYUizdfsBAKE1nJ4f27K7gSxtbMn9c l36do39RFVIbVQb6NiQ3jGVwCRXSizwJTw4iVB4OyoW2AXRd9mYPSrDfmT5VYcEy 3xViYELlvsoCc7CNDJEMbcYPRU9SWsKgoe/j6NcfYvHlDUZOZjgRomIUJW6X7gC0 k5HkksOaQ/eJnAObA+e7CAQ5BnvOQ55RFK9pIxGZVc95lpiSv21m4kw7YNyPefBE ncKVic5c5ayoqC9AQA8IMPH+6SOlMAz88mlOJLHv0foM+1an83fUn2VclRZwCY0A xshF6aYZ9754iJzDD/Abujk4D+JCBsE/JhKQ4hIotezq2gWxAxYcR2/FQJEkpkFP kwUcCL0NKCM/TxMkpHwizPe8NO5f1+cMDCDXM/ia220BArUK0eS0+MOfzhks3PB0 dylfKDLPguYtvJbFXjLSGPSajl1S3i5TGNW6U9532ZinNKZ5/2NCfZumT1K9ZvW9 eYLI1Hb8rSV/FIXIX8B4NlZqmHib+FaBufumVMvCir3qjP8nl7dXpTpA5zeKzhwK f9EVi2/gu8l9pR7ROrnzGKvdlJCAkDEmlMOd3iB9mHpx1R273IB2E9TfRn/inkYk JEAuLrEvvQC2bAC1tu5XgcJpTjFXht89WPn42PmaCkrynMzRjwloiusEIjFJn9Bx +Fq1XnOpumzZzg== =GT/f -----END PGP SIGNATURE-----