================================================================== CVE-2024-2357: Missing PreSharedKey for connection can cause crash ================================================================== This alert (and any updates) are available at the following URLs: https://libreswan.org/security/CVE-2024-2357 The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service. Severity: Medium Vulnerable versions : libreswan 4.2 - 4.12 Not vulnerable : libreswan 4.1, 4.13+, 5.0+ Vulnerability information ========================= When an IKEv2 state would fail to find its own PreSharedKey (secret) to create the AUTH payload in the IKE_AUTH Exchange, it would omit sending a packet, but would not delete the state. When this state is referenced later, it would cause an assertion failure and crash and restart the pluto daemon. Exploitation ============ There is no known exploitation. A peer cannot cause this error to happen. Even if they would change their ID so a PSK cannot found, the connection fail properly at an earlier state. The vulnerability can only be triggered by a misconfiguration locally. Workaround ========== As a workaround to prevent such a misconfiguration from causing the crash, one can place an unguessable long random "catch all" secret in /etc/ipsec.secrets, for example using the following command: echo -e "# CVE-2024-2357 workaround\n: PSK \"$(openssl rand -hex 32)\"" >> /etc/ipsec.secrets This will ensure a PSK secret is always found, but it will always be wrong, and thus authentication will still properly fail.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4f5608ad161d3a78113de39e8b2f6e437aae5b3 commit b4f5608ad161d3a78113de39e8b2f6e437aae5b3 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2024-04-25 05:48:47 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-04-25 05:49:04 +0000 net-vpn/libreswan: drop 4.12 Bug: https://bugs.gentoo.org/927472 Signed-off-by: Hans de Graaff <graaff@gentoo.org> net-vpn/libreswan/Manifest | 1 - net-vpn/libreswan/libreswan-4.12.ebuild | 136 -------------------------------- 2 files changed, 137 deletions(-)