Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 927472 (CVE-2024-2357)

Summary: <net-vpn/libreswan-4.14: Missing PreSharedKey for connection can cause crash
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: graaff
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://libreswan.org/security/CVE-2024-2357/
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 927569    
Bug Blocks:    

Description Hans de Graaff gentoo-dev Security 2024-03-22 07:01:38 UTC
==================================================================
CVE-2024-2357: Missing PreSharedKey for connection can cause crash 
==================================================================

This alert (and any updates) are available at the following URLs:
https://libreswan.org/security/CVE-2024-2357

The Libreswan Project was notified of an issue causing libreswan to restart
under some IKEv2 retransmit scenarios when a connection is configured to use
PreSharedKeys (authby=secret) and the connection cannot find a matching
configured secret. When such a connection is automatically added on startup
using the auto= keyword, it can cause repeated crashes leading to a Denial
of Service.

Severity: Medium
Vulnerable versions : libreswan 4.2 - 4.12
Not vulnerable      : libreswan 4.1,  4.13+, 5.0+

Vulnerability information
=========================
When an IKEv2 state would fail to find its own PreSharedKey (secret) to create
the AUTH payload in the IKE_AUTH Exchange, it would omit sending a packet, but
would not delete the state. When this state is referenced later, it would cause
an assertion failure and crash and restart the pluto daemon.

Exploitation
============
There is no known exploitation. A peer cannot cause this error to happen. Even
if they would change their ID so a PSK cannot found, the connection fail properly
at an earlier state. The vulnerability can only be triggered by a misconfiguration
locally.

Workaround
==========
As a workaround to prevent such a misconfiguration from causing the crash, one can
place an unguessable long random "catch all" secret in /etc/ipsec.secrets, for
example using the following command:

    echo -e "# CVE-2024-2357 workaround\n: PSK \"$(openssl rand -hex 32)\"" >> /etc/ipsec.secrets

This will ensure a PSK secret is always found, but it will always be wrong, and
thus authentication will still properly fail.
Comment 1 Larry the Git Cow gentoo-dev 2024-04-25 05:49:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4f5608ad161d3a78113de39e8b2f6e437aae5b3

commit b4f5608ad161d3a78113de39e8b2f6e437aae5b3
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-04-25 05:48:47 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-04-25 05:49:04 +0000

    net-vpn/libreswan: drop 4.12
    
    Bug: https://bugs.gentoo.org/927472
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 net-vpn/libreswan/Manifest              |   1 -
 net-vpn/libreswan/libreswan-4.12.ebuild | 136 --------------------------------
 2 files changed, 137 deletions(-)