Bug 1716918 (CVE-2019-12312)

Summary: CVE-2019-12312 libreswan: null-pointer dereference by sending two IKEv2 packets
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: avagarwa, mikhail.zabaluev, pavlix, pwouters, scorneli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1716920, 1716921, 1716924, 1716925    
Bug Blocks: 1716919    

Description Dhananjay Arunesh 2019-06-04 12:05:06 UTC
In Libreswan before 3.28, an assertion failure can lead to a pluto IKE daemon restart. An attacker can trigger a NULL pointer dereference by sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode to a Libreswan server. This affects send_v2N_spi_response_from_state in programs/pluto/ikev2_send.c when built with Network Security Services (NSS).

Reference:
https://github.com/libreswan/libreswan/issues/246

Upstream commit:
https://github.com/libreswan/libreswan/compare/9b1394e...3897683

Comment 1 Dhananjay Arunesh 2019-06-04 12:08:09 UTC
Created strongswan tracking bugs for this issue:

Affects: epel-all [bug 1716920]

Comment 2 Dhananjay Arunesh 2019-06-04 12:08:39 UTC
Created libreswan tracking bugs for this issue:

Affects: epel-6 [bug 1716921]

Comment 3 Dhananjay Arunesh 2019-06-04 12:09:41 UTC
Created libreswan tracking bugs for this issue:

Affects: fedora-all [bug 1716924]


Created strongswan tracking bugs for this issue:

Affects: fedora-all [bug 1716925]

Comment 4 Paul Wouters 2019-06-04 13:13:10 UTC
correction: only version 3.27 is vulnerable. versions older and later are not vulnerable.

See https://libreswan.org/security/CVE-2019-12312/CVE-2019-12312.txt

Comment 5 Paul Wouters 2019-06-04 13:15:03 UTC
why were strongswan bugs created for this? strongswan is not known to be vulnerable. We did not test it for this. The code involved in libreswan was never part of strongswan