Release date: Monday Jul 25, 2016 CVE-2016-5391 IKEv2 bogus proposal lacking DH transform causes restart URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-5391 This alert (and any possible updates) is available at the following URLs: https://libreswan.org/security/CVE-2016-5391/ The Libreswan Project has found a vulnerability in processing IKEv2 proposals that miss a Diffie-Hellman transform for the IKE SA. A NULL pointer dererefence causes the pluto IKE daemon to crash and restart. No remote code execution is possible. Vulnerable versions: libreswan 3.17 Not vulnerable : all other versions of libreswan If you cannot upgrade to 3.18, please see the above link for a patch for this issue. Vulnerability information ========================= The IKE SA negotiation requires a Diffie-Hellman group to be agreed upon. This payload is mandatory for all IKE SA proposals during the IKE_INIT Exchange Type. It is only optional for the CREATE_CHILD_SA Exchange Type, where PFS is optional. Libreswan version 3.17 does not properly reject a proposal in IKE_INIT Exchange that lacks a Diffie-Hellman group. It dereferences a NULL pointer causing a crash and restart. Exploitation ============ A denial of service can be launched by anyone repeatedly sending such IKE packets. No authentication credentials are required. No remote code execution is possible through this vulnerability. Libreswan automatically restarts when it crashes. Workaround ========== There is no workaround. Either upgrade or use the supplied patch in the above listed resource URL. Credits ======= This vulnerability was found by the Libreswan Project when performing interop tests with strongswan version 5.4.0 which can transmit these bogus proposals. It has been assigned strongSwan issue #2051
I added 3.18 to the gentoo repository, though I no longer have any means to test it. I can only assume it is safe to stabilize.
I have just updated our production server to libreswan 3.18 and it seems to work as expected.
amd64 stable
x86 stable. Maintainer(s), please cleanup.
@ Security: Please vote!
GLSA Vote: No