Bug 831042 (CVE-2022-23094)

Description Sam James 2022-01-12 00:58:44 UTC

https://libreswan.org/security/CVE-2022-23094/CVE-2022-23094.txt:

```
The Libreswan Project was notified by github user "MyOzCam" of an
issue with receiveing a malformed IKEv1 packet that crashed their
server. A malformed packet that is being rejected triggers a logging
action that causes a NULL pointer dereference leading to a crash of
the pluto daemon.

Vulnerable versions: libreswan 4.2 - 4.5
Not vulnerable     : libreswan 3.x, 4.0, 4.1 and 4.6+

Vulnerability information
=========================
A log message added in libreswan 4.2 assumes that an IKEv1 state is
created. In certain malformed packets, libreswan will attempt to log
this but mistakenly assumes there is a state object to use to display
the state object number. Some malformed packets are caught early enough
that no state object is created. The log routine lookup then results
in a NULL pointer dereference causing the libreswan IKE daemon to crash
and restart. This can happen when receiving malformed packets from an
IKE initiator using IKEv1 Main Mode or IKEv1 Aggressive Mode.


Exploitation
============
This vulnerability cannot be abused for a remote code execution or an
authentication bypass. But by continuing to send these packets, a
denial of service attack against the libreswan IKE service is possible.
```