Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 831042 (CVE-2022-23094) - <net-vpn/libreswan-4.6: Denial of service (CVE-2022-23094)
Summary: <net-vpn/libreswan-4.6: Denial of service (CVE-2022-23094)
Status: IN_PROGRESS
Alias: CVE-2022-23094
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://libreswan.org/security/CVE-20...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 834463
Blocks:
  Show dependency tree
 
Reported: 2022-01-12 00:58 UTC by Sam James
Modified: 2022-03-12 22:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-12 00:58:44 UTC
https://libreswan.org/security/CVE-2022-23094/CVE-2022-23094.txt:

```
The Libreswan Project was notified by github user "MyOzCam" of an
issue with receiveing a malformed IKEv1 packet that crashed their
server. A malformed packet that is being rejected triggers a logging
action that causes a NULL pointer dereference leading to a crash of
the pluto daemon.

Vulnerable versions: libreswan 4.2 - 4.5
Not vulnerable     : libreswan 3.x, 4.0, 4.1 and 4.6+

Vulnerability information
=========================
A log message added in libreswan 4.2 assumes that an IKEv1 state is
created. In certain malformed packets, libreswan will attempt to log
this but mistakenly assumes there is a state object to use to display
the state object number. Some malformed packets are caught early enough
that no state object is created. The log routine lookup then results
in a NULL pointer dereference causing the libreswan IKE daemon to crash
and restart. This can happen when receiving malformed packets from an
IKE initiator using IKEv1 Main Mode or IKEv1 Aggressive Mode.


Exploitation
============
This vulnerability cannot be abused for a remote code execution or an
authentication bypass. But by continuing to send these packets, a
denial of service attack against the libreswan IKE service is possible.
```
Comment 1 Hans de Graaff gentoo-dev 2022-01-12 06:54:02 UTC
4.6 has been added.
Comment 2 John Helmert III gentoo-dev Security 2022-01-12 20:59:49 UTC
Thank you! Please stabilize when ready.
Comment 3 Hans de Graaff gentoo-dev 2022-03-12 07:31:02 UTC
Cleanup done.
Comment 4 John Helmert III gentoo-dev Security 2022-03-12 22:22:21 UTC
Thanks!