=================================================================== CVE-2024-3652: IKEv1 default AH/ESP responder can crash and restart =================================================================== This alert (and any updates) are available at the following URLs: https://libreswan.org/security/CVE-2024-3652 The Libreswan Project was notified of an issue that causes libreswan to crash and restart when it is acting as an IKEv1 responder with AH/ESP default setting, when no esp= line is present in the connection configuration. The bug is triggered when after IKEv1 authentication has succeeded (via Main Mode or Aggressive Mode), a Quick Mode message is received containing a bogus AES-GMAC proposal. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service. Severity: Medium Vulnerable versions : libreswan 3.22 - 4.14 Not vulnerable : libreswan 3.0 - 3.21, 4.15+, 5.0+ Vulnerability information ========================= The function compute_proto_keymat() did not handle unexpected proposals for which the keymat size is 0, such as AES-GMAC which can be used only with NULL encryption. The function ends up calling an assertion failure routine. No Remote Code Execution is possible. Exploitation ============ The vulnerability can only be exploited when an IKEv1 connection is loaded without an esp= line. It also requires the peer to have authenticated itself before it can send the bogus request triggering the issue. IKEv2 connections are not vulnerable. Workaround ========== An esp= line using a common IKEv1 algorithm list can be added to all IKEv1 based connections. An example of such an esp= line could be: esp=aes-sha2_512,aes-sha1,aes-sha2_256,aes-md5,3des-sha1,3des-md5
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b74353681dcf6143676b69b7060228f8045c692e commit b74353681dcf6143676b69b7060228f8045c692e Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2024-05-11 08:46:35 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-11 08:47:05 +0000 net-vpn/libreswan: drop 4.14 Bug: https://bugs.gentoo.org/930091 Signed-off-by: Hans de Graaff <graaff@gentoo.org> net-vpn/libreswan/Manifest | 1 - net-vpn/libreswan/libreswan-4.14.ebuild | 136 -------------------------------- 2 files changed, 137 deletions(-)