CVE-2015-3204 malicious payload causing IKE daemon restart URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-3204 This alert (and any possible updates) is available at the following URLs: https://libreswan.org/security/CVE-2015-3204/ The Libreswan Project was notified by Javantea <jvoss@altsci.com> of two vulnerabilities found by fuzzing IKEv1 payloads. The malicious IKE packet causes an unexpected state in the IKE daemon resulting in passert() calls terminating and restarting the IKE daemon. No remote code execution is possible. Vulnerable versions: libreswan 3.9 up to version 3.12 Not vulnerable : libreswan 3.13 and newer If you cannot upgrade to 3.13, please see the above link for a patch for this issue. Vulnerability information - -------------------------- Javantea used a custom IKE fuzzer to test libreswan and found two issues resulting in the libreswan IKE daemon to hit a passert() and restart. By setting unassigned bits of the IPSEC DOI value, an error message string would be printed with string names as bit numbers. Printing 32 of these would cause the internal buffer "bitnamesbuf" to be too small. This buffer is truncated properly in the non-vulnerable versions. A generic jam_str() function was added to these protections, but it would passert() if not given at least a buffer length of 1 (to add a NULL to terminate the string). However, the filled in string would have no more space for the additional 1 character to be added. The passert() would cause the IKE daemon to restart. By setting the next payload value to ISAKMP_NEXT_SAK (used by old Cisco VPN servers to signal NAT-Traversal payloads), the libreswan daemon would attempt to interpret this payload as a NAT-D payload. However, it did not properly do so, causing a passert() which would restart the IKE daemon. Exploitation - ------------- This denial of service can be launched by anyone using a single IKE packet. No authentication credentials are required. No remote code execution is possible through this vulnerability. Libreswan automatically restarts when it crashes. Workaround - ----------- There is no workaround. Either upgrade or use the supplied patch in the above listed resource URL.
I will commit a version bump later today.
net-misc/libreswan-3.13 has been added to the tree, and may be stabilized.
CVE-2015-3204 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3204): libreswan 3.9 through 3.12 allows remote attackers to cause a denial of service (daemon restart) via an IKEv1 packet with (1) unassigned bits set in the IPSEC DOI value or (2) the next payload value set to ISAKMP_NEXT_SAK.
Arches, please stabilize: =net-misc/libreswan-3.13 Stable targets: amd64 x86
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Vote: yes
Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes Maintainer(s), please drop the vulnerable version(s).
Cleanup done. Already assigned to a GLSA.
This issue was resolved and addressed in GLSA 201603-13 at https://security.gentoo.org/glsa/201603-13 by GLSA coordinator Kristian Fiskerstrand (K_F).