-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Release date: Monday, August 8, 2023 Contact: security@libreswan.org PGP key: 907E790F25C1E8E561CD73B585FF4B43B30FC6F9 =========================================================================== CVE-2023-38712: Invalid IKEv1 repeat IKE SA delete causes crash and restart =========================================================================== This alert (and any updates) are available at the following URLs: https://libreswan.org/security/CVE-2023-38712/ The Libreswan Project was notified by "X1AOxiang" of an issue with receiving a malformed IKEv1 Delete/Notify packet would cause a crash and restart of the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack. Severity: Medium Vulnerable versions : libreswan 3.00 - 4.11 Not vulnerable : libreswan 4.12+ Vulnerability information ========================= When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a null pointer dereference on the deleted state causes the pluto daemon to crash and restart. Exploitation ============ IKEv1 Delete/Notify requests are only processed when received from authenticated peers, limiting the scope of possible attackers to peers who have successfully authenticated. Workaround ========== There is no workarounds, please apply the supplied patches or upgrade. History ======= * 2013 Vulnerable code was present in the first release of libreswan, 3.0 (likely the same vulnerability exists in all openswan versions) * 2023-06-07 Report received via Red Hat * 2023-07-19 Prerelease of CVE notification and patches to support customers * 2023-08-04 Release of patch and libreswan 4.12 Credits ======= This vulnerability was found and reported by X1AOxiang to Red Hat. Thanks to Daiki Ueno for contacting the Libreswan Project. Upgrading ========= To address this vulnerability, please upgrade to libreswan 4.12 or later. For those who cannot upgrade, patches are provided at the above URL. About libreswan (https://libreswan.org/) ======================================== Libreswan is a free implementation of the Internet Key Exchange (IKE) protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of openswan 2.6.38. IKE is used to establish IPsec VPN connections. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN). Patches ======= Due to the size of the patches, it is not included inline to this advisory, but are available at https://libreswan.org/security/CVE-2023-38712/ -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmTSX8oTHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+QjiD/950OBx2TE+459l7QssQ/hYE4v9Nree nbY89oQr6MKB1tKSBvKtutrV4IofVE641v2g0fRYTMgKQ4WjaZbKh3H7Fwjzgezo 2o7+DLToDXhYWrmNqspICxY5YcR/kDW38kOC8t/eTcPdu8nLXeVxMv4bPrxN/G/L e1U8yEXyNBy25FDQzvPKwYROYMmLPW08lAPwLhdvx+iVDboptG7VxOI1NwaCXSv0 b+uTtnnKEqzUBZwYVDFJL5m0T4916ZeYHuGbCBs+mmK8bwzI2kcUJ66AqQ0mkgAR Tq/rtrd4JyAvFtG2ECSJbFPn6siCIMMQN2/1o1Art4x7SirA3NKlnzN0KJrWW5/c Zd5evLHf98mO5KkDYZzoXZZJoGUV458Kko1FSXKDllKUuXSEFV5nBFa6K5CVmWZ7 gn7WU494IkO/9LlAlR9wxqTcTSCzb6911R4y+DhmF1VctvGf7tsGM/WQ+Unlmxyx StKKx9yUglRPe8Y3gfJeCGsj+d6TtIkwkKP0HBxlotBRbdK18t0W+R1LXLbozXWD FSgE2/ZWLU96XXXRIl9DHsZAVLEjImKJZd1nb1RQIajTmL04nW9dRN5B536xKWWn gMYhy3f6nAWxPtA95RV4VKJQESh/2eYIFqiyuNLjPFopI+gnXS58/n400ULd7+CJ s0izNTMPKfW7nA== =tMv+ -----END PGP SIGNATURE-----