Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 927472 (CVE-2024-2357) - <net-vpn/libreswan-4.14: Missing PreSharedKey for connection can cause crash
Summary: <net-vpn/libreswan-4.14: Missing PreSharedKey for connection can cause crash
Status: CONFIRMED
Alias: CVE-2024-2357
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://libreswan.org/security/CVE-20...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 927569
Blocks:
  Show dependency tree
 
Reported: 2024-03-22 07:01 UTC by Hans de Graaff
Modified: 2024-04-25 05:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2024-03-22 07:01:38 UTC
==================================================================
CVE-2024-2357: Missing PreSharedKey for connection can cause crash 
==================================================================

This alert (and any updates) are available at the following URLs:
https://libreswan.org/security/CVE-2024-2357

The Libreswan Project was notified of an issue causing libreswan to restart
under some IKEv2 retransmit scenarios when a connection is configured to use
PreSharedKeys (authby=secret) and the connection cannot find a matching
configured secret. When such a connection is automatically added on startup
using the auto= keyword, it can cause repeated crashes leading to a Denial
of Service.

Severity: Medium
Vulnerable versions : libreswan 4.2 - 4.12
Not vulnerable      : libreswan 4.1,  4.13+, 5.0+

Vulnerability information
=========================
When an IKEv2 state would fail to find its own PreSharedKey (secret) to create
the AUTH payload in the IKE_AUTH Exchange, it would omit sending a packet, but
would not delete the state. When this state is referenced later, it would cause
an assertion failure and crash and restart the pluto daemon.

Exploitation
============
There is no known exploitation. A peer cannot cause this error to happen. Even
if they would change their ID so a PSK cannot found, the connection fail properly
at an earlier state. The vulnerability can only be triggered by a misconfiguration
locally.

Workaround
==========
As a workaround to prevent such a misconfiguration from causing the crash, one can
place an unguessable long random "catch all" secret in /etc/ipsec.secrets, for
example using the following command:

    echo -e "# CVE-2024-2357 workaround\n: PSK \"$(openssl rand -hex 32)\"" >> /etc/ipsec.secrets

This will ensure a PSK secret is always found, but it will always be wrong, and
thus authentication will still properly fail.
Comment 1 Larry the Git Cow gentoo-dev 2024-04-25 05:49:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4f5608ad161d3a78113de39e8b2f6e437aae5b3

commit b4f5608ad161d3a78113de39e8b2f6e437aae5b3
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-04-25 05:48:47 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-04-25 05:49:04 +0000

    net-vpn/libreswan: drop 4.12
    
    Bug: https://bugs.gentoo.org/927472
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 net-vpn/libreswan/Manifest              |   1 -
 net-vpn/libreswan/libreswan-4.12.ebuild | 136 --------------------------------
 2 files changed, 137 deletions(-)