[Swan] [Swan-announce] libreswan-3.17 released for CVE-2016-3017 IKEv2 aes_xcbc transform causes restart of IKE daemon (fwd)
The Libreswan Project
team at libreswan.org
Mon Apr 4 16:24:09 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
CVE-2016-3071: IKEv2 aes_xcbc transform causes restart of IKE daemon
https: //distributedweaknessfiling.org/CVE-2016-3071
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3071
This alert (and any possible updates) is available at the following URLs:
https: //libreswan.org/security/CVE-2016-3071/
The Libreswan Project found a bug in the default proposal set for IKEv2.
This code, introduced in version 3.16, includes the AES_XCBC integrity
algorithm. It wrongly assumes that the NSS cryptographic library supports
this algorithm. As a result, the IKE daemon crashes and restarts when
the aes_xcbc transform is selected. No remote code execution is possible.
Vulnerable versions: 3.16
Not vulnerable : 3.15 and earlier, 3.17 and later
Vulnerability information
=========================
The default IKEv2 proposal set was amended for libreswan version 3.16. It
wrongly includes the aes_xcbc transform which is not supported in the
current NSS cryptographic library. An IKEv2 negotiation resulting in
using aes_xcbc causes the IKE daemon to crash and restart.
Exploitation
============
This denial of service can be launched by anyone using a single IKE packet.
No authentication credentials are required. No remote code execution is
possible through this vulnerability. Libreswan automatically restarts when
it crashes.
Workaround
==========
Only connections that use IKEv2 with the default proposal set are
affected, as the aes_xcbc transform cannot be specified in the ike=
configuration. Setting a configuration line will cause the default
proposal set to be ignored. For example, setting ike=aes-sha2 will
prevent the crash. Care should be taken to specify an IKE algorithm
that is supported and allowed by the peer as well. Another workaround
is to require IKEv1 by setting ikev2=no.
Patches
=======
Patches for libreswan version 3.16 and 3.17rc2 are available at:
https: //libreswan.org/security/CVE-2016-3071/
The patch for 3.16 is included at the end of this advisory. Note that
email clients of web browsers might mangle the patch included with
this notice.
Credits
=======
This vulnerability was found by The Libreswan Project
About libreswan (https://libreswan.org/)
========================================
Libreswan is a free implementation of the Internet Protocol Security
(IPsec) suite and Internet Key Exchange (IKE) protocols. It is a
descendant (fork) of openswan 2.6.38.
IPsec uses strong cryptography to provide both authentication and
encryption services. These services allow you to build secure tunnels
through untrusted networks. Everything passing through the untrusted
network is encrypted by the IPsec gateway machine, and decrypted by
the gateway at the other end of the tunnel. The resulting tunnel is a
virtual private network (VPN).
=============================================================================
diff --git a/programs/pluto/spdb.c b/programs/pluto/spdb.c
index 8ec60ec..b64e466 100644
- --- a/programs/pluto/spdb.c
+++ b/programs/pluto/spdb.c
@@ -209,13 +209,6 @@ static struct db_attr otpsk1536aes128sha2[] = {
{ .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val =
OAKLEY_GROUP_MODP1536 },
{ .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 },
};
- -static struct db_attr otpsk1536aes128xaes[] = {
- - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
- - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC },
- - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val =
OAKLEY_PRESHARED_KEY },
- - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP1536
},
- - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 },
- -};
static struct db_attr otpsk1536aes256sha1[] = {
{ .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
{ .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_SHA1 },
@@ -230,13 +223,6 @@ static struct db_attr otpsk1536aes256sha2[] = {
{ .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val =
OAKLEY_GROUP_MODP1536 },
{ .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 },
};
- -static struct db_attr otpsk1536aes256xaes[] = {
- - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
- - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC },
- - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val =
OAKLEY_PRESHARED_KEY },
- - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP1536
},
- - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 },
- -};
static struct db_attr otpsk2048aes128sha1[] = {
{ .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
@@ -252,13 +238,6 @@ static struct db_attr otpsk2048aes128sha2[] = {
{ .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val =
OAKLEY_GROUP_MODP2048 },
{ .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 },
};
- -static struct db_attr otpsk2048aes128xaes[] = {
- - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
- - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC },
- - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val =
OAKLEY_PRESHARED_KEY },
- - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048
},
- - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 },
- -};
static struct db_attr otpsk2048aes256sha1[] = {
{ .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
{ .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_SHA1 },
@@ -273,13 +252,6 @@ static struct db_attr otpsk2048aes256sha2[] = {
{ .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val =
OAKLEY_GROUP_MODP2048 },
{ .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 },
};
- -static struct db_attr otpsk2048aes256xaes[] = {
- - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
- - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC },
- - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val =
OAKLEY_PRESHARED_KEY },
- - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048
},
- - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 },
- -};
static struct db_attr otpsk2048aes16gcm128sha1[] = {
{ .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_GCM_16
},
@@ -552,13 +524,6 @@ static struct db_attr otnull2048aes128sha2[] = {
{ .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val =
OAKLEY_GROUP_MODP2048 },
{ .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 },
};
- -static struct db_attr otnull2048aes128xaes[] = {
- - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
- - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC },
- - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_AUTH_NULL
},
- - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048
},
- - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 },
- -};
static struct db_attr otnull2048aes256sha1[] = {
{ .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
{ .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_SHA1 },
@@ -573,13 +538,6 @@ static struct db_attr otnull2048aes256sha2[] = {
{ .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val =
OAKLEY_GROUP_MODP2048 },
{ .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 },
};
- -static struct db_attr otnull2048aes256xaes[] = {
- - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
- - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC },
- - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_AUTH_NULL
},
- - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048
},
- - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 },
- -};
static struct db_attr otnull2048aes16gcm128sha1[] = {
{ .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_GCM_16
},
@@ -751,13 +709,6 @@ static struct db_attr otrsasig1536aes128sha2[] = {
{ .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val =
OAKLEY_GROUP_MODP1536 },
{ .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 },
};
- -static struct db_attr otrsasig1536aes128xaes[] = {
- - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
- - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC },
- - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_RSA_SIG },
- - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP1536
},
- - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 },
- -};
static struct db_attr otrsasig1536aes256sha1[] = {
{ .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
{ .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_SHA1 },
@@ -772,13 +723,6 @@ static struct db_attr otrsasig1536aes256sha2[] = {
{ .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val =
OAKLEY_GROUP_MODP1536 },
{ .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 },
};
- -static struct db_attr otrsasig1536aes256xaes[] = {
- - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
- - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC },
- - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_RSA_SIG },
- - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP1536
},
- - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 },
- -};
static struct db_attr otrsasig2048aes128sha1[] = {
{ .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
@@ -794,13 +738,6 @@ static struct db_attr otrsasig2048aes128sha2[] = {
{ .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val =
OAKLEY_GROUP_MODP2048 },
{ .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 },
};
- -static struct db_attr otrsasig2048aes128xaes[] = {
- - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
- - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC },
- - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_RSA_SIG },
- - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048
},
- - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 128 },
- -};
static struct db_attr otrsasig2048aes256sha1[] = {
{ .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
{ .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_SHA1 },
@@ -815,13 +752,6 @@ static struct db_attr otrsasig2048aes256sha2[] = {
{ .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val =
OAKLEY_GROUP_MODP2048 },
{ .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 },
};
- -static struct db_attr otrsasig2048aes256xaes[] = {
- - { .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_CBC },
- - { .type.oakley = OAKLEY_HASH_ALGORITHM, .val = OAKLEY_AES_XCBC },
- - { .type.oakley = OAKLEY_AUTHENTICATION_METHOD, .val = OAKLEY_RSA_SIG },
- - { .type.oakley = OAKLEY_GROUP_DESCRIPTION, .val = OAKLEY_GROUP_MODP2048
},
- - { .type.oakley = OAKLEY_KEY_LENGTH, .val = 256 },
- -};
static struct db_attr otrsasig2048aes16gcm128sha1[] = {
{ .type.oakley = OAKLEY_ENCRYPTION_ALGORITHM, .val = OAKLEY_AES_GCM_16
},
@@ -1476,27 +1406,23 @@ static struct db_trans IKEv2_oakley_trans_psk[] = {
/*
* IKEv2 proposal #2:
* AES_CBC[256]
- - * SHA1, SHA2_256, AES_XCBC
+ * SHA1, SHA2_256
* MODP1536, MODP2048
*/
{ AD_TR(KEY_IKE, otpsk1536aes256sha1) },
{ AD_TR(KEY_IKE, otpsk1536aes256sha2) },
- - { AD_TR(KEY_IKE, otpsk1536aes256xaes) },
{ AD_TR(KEY_IKE, otpsk2048aes256sha1) },
{ AD_TR(KEY_IKE, otpsk2048aes256sha2) },
- - { AD_TR(KEY_IKE, otpsk2048aes256xaes) },
/*
* IKEv2 proposal #3:
* AES_CBC[256]
- - * SHA1, SHA2_256, AES_XCBC
+ * SHA1, SHA2_256
* MODP1536, MODP2048
*/
{ AD_TR(KEY_IKE, otpsk1536aes128sha1) },
{ AD_TR(KEY_IKE, otpsk1536aes128sha2) },
- - { AD_TR(KEY_IKE, otpsk1536aes128xaes) },
{ AD_TR(KEY_IKE, otpsk2048aes128sha1) },
{ AD_TR(KEY_IKE, otpsk2048aes128sha2) },
- - { AD_TR(KEY_IKE, otpsk2048aes128xaes) },
};
static struct db_trans IKEv2_oakley_trans_null[] = {
@@ -1529,21 +1455,19 @@ static struct db_trans IKEv2_oakley_trans_null[] = {
/*
* IKEv2 proposal #2:
* AES_CBC[256]
- - * SHA1, SHA2_256, AES_XCBC
+ * SHA1, SHA2_256
* MODP2048
*/
{ AD_TR(KEY_IKE, otnull2048aes256sha1) },
{ AD_TR(KEY_IKE, otnull2048aes256sha2) },
- - { AD_TR(KEY_IKE, otnull2048aes256xaes) },
/*
* IKEv2 proposal #3:
* AES_CBC[256]
- - * SHA1, SHA2_256, AES_XCBC
+ * SHA1, SHA2_256
* MODP2048
*/
{ AD_TR(KEY_IKE, otnull2048aes128sha1) },
{ AD_TR(KEY_IKE, otnull2048aes128sha2) },
- - { AD_TR(KEY_IKE, otnull2048aes128xaes) },
};
static struct db_trans IKEv2_oakley_trans_rsasig[] = {
@@ -1576,27 +1500,23 @@ static struct db_trans IKEv2_oakley_trans_rsasig[] = {
/*
* IKEv2 proposal #2:
* AES_CBC[256]
- - * SHA1, SHA2_256, AES_XCBC
+ * SHA1, SHA2_256
* MODP1536, MODP2048
*/
{ AD_TR(KEY_IKE, otrsasig1536aes256sha1) },
{ AD_TR(KEY_IKE, otrsasig1536aes256sha2) },
- - { AD_TR(KEY_IKE, otrsasig1536aes256xaes) },
{ AD_TR(KEY_IKE, otrsasig2048aes256sha1) },
{ AD_TR(KEY_IKE, otrsasig2048aes256sha2) },
- - { AD_TR(KEY_IKE, otrsasig2048aes256xaes) },
/*
* IKEv2 proposal #3:
* AES_CBC[256]
- - * SHA1, SHA2_256, AES_XCBC
+ * SHA1, SHA2_256
* MODP1536, MODP2048
*/
{ AD_TR(KEY_IKE, otrsasig1536aes128sha1) },
{ AD_TR(KEY_IKE, otrsasig1536aes128sha2) },
- - { AD_TR(KEY_IKE, otrsasig1536aes128xaes) },
{ AD_TR(KEY_IKE, otrsasig2048aes128sha1) },
{ AD_TR(KEY_IKE, otrsasig2048aes128sha2) },
- - { AD_TR(KEY_IKE, otrsasig2048aes128xaes) },
};
/* In this table, either PSK or RSA sig is accepted.
@@ -1647,39 +1567,31 @@ static struct db_trans IKEv2_oakley_trans_pskrsasig[] =
{
/*
* IKEv2 proposal #2:
* AES_CBC[256]
- - * SHA1, SHA2_256, AES_XCBC
+ * SHA1, SHA2_256
* MODP1536, MODP2048
*/
{ AD_TR(KEY_IKE, otrsasig1536aes256sha1) },
{ AD_TR(KEY_IKE, otpsk1536aes256sha1) },
{ AD_TR(KEY_IKE, otrsasig1536aes256sha2) },
{ AD_TR(KEY_IKE, otpsk1536aes256sha2) },
- - { AD_TR(KEY_IKE, otrsasig1536aes256xaes) },
- - { AD_TR(KEY_IKE, otpsk1536aes256xaes) },
{ AD_TR(KEY_IKE, otrsasig2048aes256sha1) },
{ AD_TR(KEY_IKE, otpsk2048aes256sha1) },
{ AD_TR(KEY_IKE, otrsasig2048aes256sha2) },
{ AD_TR(KEY_IKE, otpsk2048aes256sha2) },
- - { AD_TR(KEY_IKE, otrsasig2048aes256xaes) },
- - { AD_TR(KEY_IKE, otpsk2048aes256xaes) },
/*
* IKEv2 proposal #3:
* AES_CBC[256]
- - * SHA1, SHA2_256, AES_XCBC
+ * SHA1, SHA2_256
* MODP1536, MODP2048
*/
{ AD_TR(KEY_IKE, otrsasig1536aes128sha1) },
{ AD_TR(KEY_IKE, otpsk1536aes128sha1) },
{ AD_TR(KEY_IKE, otrsasig1536aes128sha2) },
{ AD_TR(KEY_IKE, otpsk1536aes128sha2) },
- - { AD_TR(KEY_IKE, otrsasig1536aes128xaes) },
- - { AD_TR(KEY_IKE, otpsk1536aes128xaes) },
{ AD_TR(KEY_IKE, otrsasig2048aes128sha1) },
{ AD_TR(KEY_IKE, otpsk2048aes128sha1) },
{ AD_TR(KEY_IKE, otrsasig2048aes128sha2) },
{ AD_TR(KEY_IKE, otpsk2048aes128sha2) },
- - { AD_TR(KEY_IKE, otrsasig2048aes128xaes) },
- - { AD_TR(KEY_IKE, otpsk2048aes128xaes) },
};
/*
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXAovfAAoJEIX/S0OzD8b5rWEP/A07d5e+lXlpJXSCRHp9X4V7
CjYYunZ2GSJOIO5BXyI+pvXGRvDY5LxuD/McpiHlfG5E5VgbX5YZAVFaaKeKuWif
MGggUWDK5a4AZtHhKCxgUiPHm7ejJ2if10+1t/gnnTVl4l2PUyMuqEFle6+OxBFf
Ult1cOT4YqxLQ0JZAs/DB7wlGJNrvjAzQAi5WhMiFl8hUPKut9E4hugxyND/Ihg8
j42gqOOULEQfYwy1r0vP0piVi9KE/H/eLsthsPauatEUVlZyH4XU8LvEXtOrTaE2
e49nGjkx+Q/NPYGGkPh/jUvaFoDihKnt2yxcSijBKTjqAATcqygSdqRpwZX+UEYP
wG1K0SQKlYLxOKxvARbfuTFfwMHi0hSgjWC2aUSZAJM+o4sgPSx0QdcytWom2/x3
p3tLnM6L49185m69uYB+aaU3pbtM+pprQYuVtpxAQPqknkBdwX0X5jV7hj156DA2
LUOVl7O3qjJs3eGqwFfv/z2FV9TJutMV3XaOuZFqqQ6y0uMMjou/uHWQRUaYl1lb
jyt+Q8e1svWnvJvFlFw1A/yyE/0xdceic5G2gglPMH05MT+rAGv/nhzwYzDW9FRE
P2V1qKromUGbCz0QaMwqzxm4IOpYzr/g3hSi1olvTGg/m0Nz06tfedDgEFMTYkRt
8gAeqm2y0+nTt3epTiuY
=BuJ/
-----END PGP SIGNATURE-----
_______________________________________________
Swan-announce mailing list
Swan-announce at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-announce
More information about the Swan
mailing list