Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 550974 (CVE-2015-3204) - <net-misc/libreswan-3.13: Malicious payload causing IKE daemon restart (CVE-2015-3204)
Summary: <net-misc/libreswan-3.13: Malicious payload causing IKE daemon restart (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2015-3204
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://libreswan.org/security/CVE-20...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-01 20:08 UTC by Mike Gilbert
Modified: 2016-03-12 23:25 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Gilbert gentoo-dev 2015-06-01 20:08:23 UTC
CVE-2015-3204 malicious payload causing IKE daemon restart

URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-3204

This alert (and any possible updates) is available at the following URLs:
https://libreswan.org/security/CVE-2015-3204/

The Libreswan Project was notified by Javantea <jvoss@altsci.com> of two
vulnerabilities found by fuzzing IKEv1 payloads. The malicious IKE packet
causes an unexpected state in the IKE daemon resulting in passert() calls
terminating and restarting the IKE daemon. No remote code execution is
possible.

Vulnerable versions: libreswan 3.9 up to version 3.12
Not vulnerable     : libreswan 3.13 and newer

If you cannot upgrade to 3.13, please see the above link for a patch for
this issue.

Vulnerability information
- --------------------------

Javantea used a custom IKE fuzzer to test libreswan and found two issues
resulting in the libreswan IKE daemon to hit a passert() and restart.

By setting unassigned bits of the IPSEC DOI value, an error message
string would be printed with string names as bit numbers. Printing 32 of
these would cause the internal buffer "bitnamesbuf" to be too small. This
buffer is truncated properly in the non-vulnerable versions. A generic
jam_str() function was added to these protections, but it would passert()
if not given at least a buffer length of 1 (to add a NULL to terminate
the string). However, the filled in string would have no more space for
the additional 1 character to be added. The passert() would cause the IKE
daemon to restart.

By setting the next payload value to ISAKMP_NEXT_SAK (used by old Cisco
VPN servers to signal NAT-Traversal payloads), the libreswan daemon would
attempt to interpret this payload as a NAT-D payload. However, it did not
properly do so, causing a passert() which would restart the IKE daemon.

Exploitation
- -------------

This denial of service can be launched by anyone using a single IKE packet.
No authentication credentials are required. No remote code execution is
possible through this vulnerability. Libreswan automatically restarts when
it crashes.

Workaround
- -----------

There is no workaround. Either upgrade or use the supplied patch in the
above listed resource URL.
Comment 1 Mike Gilbert gentoo-dev 2015-06-01 20:16:56 UTC
I will commit a version bump later today.
Comment 2 Mike Gilbert gentoo-dev 2015-06-02 02:49:28 UTC
net-misc/libreswan-3.13 has been added to the tree, and may be stabilized.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-07-07 21:33:01 UTC
CVE-2015-3204 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3204):
  libreswan 3.9 through 3.12 allows remote attackers to cause a denial of
  service (daemon restart) via an IKEv1 packet with (1) unassigned bits set in
  the IPSEC DOI value or (2) the next payload value set to ISAKMP_NEXT_SAK.
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2015-07-07 21:35:39 UTC
Arches, please stabilize:
=net-misc/libreswan-3.13
Stable targets: amd64 x86
Comment 5 Agostino Sarubbo gentoo-dev 2015-07-10 06:58:48 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-07-10 06:59:17 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 21:52:31 UTC
Vote: yes
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-31 05:08:33 UTC
Arches and Maintainer(s), Thank you for your work.
GLSA Vote: Yes

Maintainer(s), please drop the vulnerable version(s).
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-12 09:23:13 UTC
Cleanup done.  Already assigned to a GLSA.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 23:25:25 UTC
This issue was resolved and addressed in
 GLSA 201603-13 at https://security.gentoo.org/glsa/201603-13
by GLSA coordinator Kristian Fiskerstrand (K_F).