Bug 1716918 (CVE-2019-12312)

Summary: CVE-2019-12312 libreswan: null-pointer dereference by sending two IKEv2 packets
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: avagarwa, code, mikhail.zabaluev, pwouters, scorneli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-24 05:18:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1716920, 1716921, 1716924, 1716925    
Bug Blocks: 1716919    

Description Dhananjay Arunesh 2019-06-04 12:05:06 UTC 
In Libreswan before 3.28, an assertion failure can lead to a pluto IKE daemon restart. An attacker can trigger a NULL pointer dereference by sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode to a Libreswan server. This affects send_v2N_spi_response_from_state in programs/pluto/ikev2_send.c when built with Network Security Services (NSS).

Reference:
https://github.com/libreswan/libreswan/issues/246

Upstream commit:
https://github.com/libreswan/libreswan/compare/9b1394e...3897683
Comment 1 Dhananjay Arunesh 2019-06-04 12:08:09 UTC 
Created strongswan tracking bugs for this issue:

Affects: epel-all [bug 1716920]
Comment 2 Dhananjay Arunesh 2019-06-04 12:08:39 UTC 
Created libreswan tracking bugs for this issue:

Affects: epel-6 [bug 1716921]
Comment 3 Dhananjay Arunesh 2019-06-04 12:09:41 UTC 
Created libreswan tracking bugs for this issue:

Affects: fedora-all [bug 1716924]


Created strongswan tracking bugs for this issue:

Affects: fedora-all [bug 1716925]
Comment 4 Paul Wouters 2019-06-04 13:13:10 UTC 
correction: only version 3.27 is vulnerable. versions older and later are not vulnerable.

See https://libreswan.org/security/CVE-2019-12312/CVE-2019-12312.txt
Comment 5 Paul Wouters 2019-06-04 13:15:03 UTC 
why were strongswan bugs created for this? strongswan is not known to be vulnerable. We did not test it for this. The code involved in libreswan was never part of strongswan
Comment 8 msiddiqu 2019-08-22 19:27:51 UTC 
Upstream patch: 

https://libreswan.org/security/CVE-2019-12312/libreswan-3.27-CVE-2019-12312.patch
https://libreswan.org/security/CVE-2019-12312/CVE-2019-12312.txt
Comment 9 Mikhail Zabaluev 2019-11-24 05:18:35 UTC 
(In reply to msiddiqu from comment #8)
> Upstream patch: 
> 
> https://libreswan.org/security/CVE-2019-12312/libreswan-3.27-CVE-2019-12312.
> patch
> https://libreswan.org/security/CVE-2019-12312/CVE-2019-12312.txt

This is for libreswan. The vulnerability report never mentions strongswan.
Please reopen if you can show how strongswan is affected by this.