[Swan-announce] libreswan-4.6 released to address CVE-2020-1763 [version corrected]

The Libreswan Team team at libreswan.org
Wed Jan 12 02:53:57 EET 2022


You can download libreswan via https at:

https://download.libreswan.org/libreswan-4.6.tar.gz
https://download.libreswan.org/libreswan-4.6.tar.gz.asc

The full changelog is available at: https://download.libreswan.org/CHANGES



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Release date: Wednesday, January 11, 2022
Contact: security at libreswan.org
PGP key: 907E790F25C1E8E561CD73B585FF4B43B30FC6F9

=====================================================================
CVE-2022-23094: Malicious IKEv1 packet can cause libreswan to restart
=====================================================================

This alert (and any updates) are available at the following URLs:
https://libreswan.org/security/CVE-2022-23094/

The Libreswan Project was notified by github user "MyOzCam" of an
issue with receiveing a malformed IKEv1 packet that crashed their
server. A malformed packet that is being rejected triggers a logging
action that causes a NULL pointer dereference leading to a crash of
the pluto daemon.

Vulnerable versions: libreswan 4.2 - 4.5
Not vulnerable     : libreswan 3.x, 4.0, 4.1 and 4.6+

Vulnerability information
=========================
A log message added in libreswan 4.2 assumes that an IKEv1 state is
created. In certain malformed packets, libreswan will attempt to log
this but mistakenly assumes there is a state object to use to display
the state object number. Some malformed packets are caught early enough
that no state object is created. The log routine lookup then results
in a NULL pointer dereference causing the libreswan IKE daemon to crash
and restart. This can happen when receiving malformed packets from an
IKE initiator using IKEv1 Main Mode or IKEv1 Aggressive Mode.


Exploitation
============
This vulnerability cannot be abused for a remote code execution or an
authentication bypass. But by continuing to send these packets, a
denial of service attack against the libreswan IKE service is possible.

Workaround
==========
If all configured connections are using IKEv2, the IKEv1 subsystem can be
disabled by adding the option ikev1-policy=drop to the "config setup"
section of ipsec.conf. Alternatively, libreswan can be compiled with
USE_IKEv1=false.

If all remote peers are on static IP addresses, a firewall rule blocking
UDP port 500 and 4500 can be installed to prevent attackers from
sending packets to the pluto IKE daemon.

If peers appear on dynamic IP addresses and IKEv1 connections must be
supported, then no workarounds are known and libreswan must be updated
or patched.

History
=======
* 2021-12-20 Initial report via https://github.com/libreswan/libreswan/issues/585
* 2021-12-21 Issue was fixed in the git main branch
* 2022-01-11 Delayed release date to avoid holiday and end of year timing problems

Credits
=======
This vulnerability was found and reported by github user MyOzCam.

Upgrading
=========
To address this vulnerability, please upgrade to libreswan 4.6 or later.
For those who cannot upgrade, patches are provided at the above URL,
and are included for reference below.

About libreswan (https://libreswan.org/)
========================================
Libreswan is a free implementation of the Internet Key Exchange (IKE)
protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of
openswan 2.6.38. IKE is used to establish IPsec VPN connections.

IPsec uses strong cryptography to provide both authentication and
encryption services. These services allow you to build secure tunnels
through untrusted networks. Everything passing through the untrusted
network is encrypted by the IPsec gateway machine, and decrypted by
the gateway at the other end of the tunnel. The resulting tunnel is a
virtual private network (VPN).

Patches
=======
Please note that email clients might mangle the patch text included.
Please use the above advisory URL to download a proper patch file.

===============================
Patch for libreswan 4.2 or 4.3:
===============================
diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
index 4f644fd4f8..e0f3652aa9 100644
- --- a/programs/pluto/ikev1.c
+++ b/programs/pluto/ikev1.c
@@ -2097,7 +2097,9 @@ void process_packet_tail(struct msg_digest *md)
  					diag_t d = pbs_in_struct(&md->message_pbs, &isakmp_ignore_desc,
  								 &pd->payload, sizeof(pd->payload), &pd->pbs);
  					if (d != NULL) {
- -						log_diag(RC_LOG, st->st_logger, &d, "%s", "");
+						llog_diag(RC_LOG,
+							st != NULL ? st->st_logger : md->md_logger,
+							&d, "%s", "");
  						LOG_PACKET(RC_LOG_SERIOUS,
  							   "%smalformed payload in packet",
  							   excuse);
@@ -2161,7 +2163,9 @@ void process_packet_tail(struct msg_digest *md)
  						 &pd->payload, sizeof(pd->payload),
  						 &pd->pbs);
  			if (d != NULL) {
- -				log_diag(RC_LOG, st->st_logger, &d, "%s", "");
+				llog_diag(RC_LOG,
+					st != NULL ? st->st_logger : md->md_logger,
+					&d, "%s", "");
  				LOG_PACKET(RC_LOG_SERIOUS,
  					   "%smalformed payload in packet",
  					   excuse);
===============================
Patch for libreswan 4.4 or 4.5:
===============================
diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
index 9f4847874d..f7413f3594 100644
- --- a/programs/pluto/ikev1.c
+++ b/programs/pluto/ikev1.c
@@ -2103,7 +2103,9 @@ void process_packet_tail(struct msg_digest *md)
  					diag_t d = pbs_in_struct(&md->message_pbs, &isakmp_ignore_desc,
  								 &pd->payload, sizeof(pd->payload), &pd->pbs);
  					if (d != NULL) {
- -						llog_diag(RC_LOG, st->st_logger, &d, "%s", "");
+						llog_diag(RC_LOG,
+							st != NULL ? st->st_logger : md->md_logger,
+							&d, "%s", "");
  						LOG_PACKET(RC_LOG_SERIOUS,
  							   "%smalformed payload in packet",
  							   excuse);
@@ -2172,7 +2174,9 @@ void process_packet_tail(struct msg_digest *md)
  						 &pd->payload, sizeof(pd->payload),
  						 &pd->pbs);
  			if (d != NULL) {
- -				llog_diag(RC_LOG, st->st_logger, &d, "%s", "");
+				llog_diag(RC_LOG,
+					st != NULL ? st->st_logger : md->md_logger,
+					&d, "%s", "");
  				LOG_PACKET(RC_LOG_SERIOUS,
  					   "%smalformed payload in packet",
  					   excuse);
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOmlKLfkM1mIKecfy20jS5RIkaL8FAmHdsqwACgkQ20jS5RIk
aL8Kiw//RjwIPifu7b7tGjycpsXxwcXTndT8R8fufvMCkNpXZ9ktqQXM6nyhPS9+
JzkIEc3yVOXshHPr4uKYSGEXOYEFVjUNqMp7U6jpR0iU0af+julCaovjYBVVFUtT
W5mkMK9p6wUsP19gQCjNIz1TI2EbDjp6Ybp0ivjtAVH7NfHM8L+C3Seq9FlNGxFJ
1ufcgdgVOZCmHY9YG1ao8tTU02HKbxy8e97VqvmoZN4CxgdhYxFd5OkC9ghZXIK5
JZztfOzVAZvBEFqvcj5UomLsv5/K8CYwc+N9hlNJUrDi4UrQYJUbBdhUmmU6z84/
vRN05zqORGxp/ykgeLQLZHFn4ssxBWhu/qLQtjdA1ZdAsGKcOIcOgnyTEp6Zcn83
Xbr0I17FrBbA4khXSTYTec6NBICYI3f/0j139ZSf84vpSfCtql0jzHVnhmtEyhSI
60EvdAxnDFoy/IFSgb+yo7/EEyD0+FDjfsvj6TPPw0giMv8w9SwvaG4n294rCTO5
g0iPoksCqHvk/+AVgMYgswX1koR5TYF+CL2DiCW6Nvg7mEqbmBl1PGB7CsWlaYT/
JAQWXOaMyam0niFo2GhY3zsKSWJi5xlFCki5nSk7gPVJTVXOkiG6h2+rhdb0VuIJ
eXeqh/tjvuXHOC+e+Tfx6mbbm0yapopUrOkaGibtGBrfwGv+l6c=
=EBx7
-----END PGP SIGNATURE-----


More information about the Swan-announce mailing list