Bug 2225368 (CVE-2023-38710)

Summary: CVE-2023-38710 libreswan: Invalid IKEv2 REKEY proposal causes restart
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dueno, paul.wouters, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---Flags: paul.wouters: needinfo? (trathi)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libreswan 4.12 Doc Type: If docs needed, set a value
Doc Text:
An assertion failure flaw was found in the Libreswan package that occurs when processing IKEv2 REKEY requests. When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notification INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3). This flaw allows a malicious client or attacker to send a malformed IKEv2 REKEY packet, causing a crash and restarting the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2215955, 2215956, 2230238    
Bug Blocks: 2225370    

Description TEJ RATHI 2023-07-25 05:37:12 UTC 
When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart.

https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt
Comment 1 TEJ RATHI 2023-07-25 06:04:16 UTC 
Vulnerable versions : libreswan 3.20 - 4.11 
Not vulnerable      : libreswan 3.0 - 3.19, 4.12+

Vulnerable code was introduced in libreswan v3.20
Comment 2 TEJ RATHI 2023-08-09 05:29:23 UTC 
This CVE is now public by upstream:

https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt
https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.patch
Comment 3 TEJ RATHI 2023-08-09 05:39:37 UTC 
Created libreswan tracking bugs for this issue:

Affects: fedora-all [bug 2230238]
Comment 4 errata-xmlrpc 2023-11-07 08:19:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6549 https://access.redhat.com/errata/RHSA-2023:6549
Comment 5 errata-xmlrpc 2023-11-14 15:19:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7052 https://access.redhat.com/errata/RHSA-2023:7052
Comment 6 Paul Wouters 2024-06-23 01:11:41 UTC 
this bug should be closed (can't see all the things it depends on but based on fedora and the above RHEL 8/9, seems like all the work was done)
Comment 7 errata-xmlrpc 2024-12-02 01:17:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:10594 https://access.redhat.com/errata/RHSA-2024:10594
Comment 8 errata-xmlrpc 2025-01-14 10:45:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:0309 https://access.redhat.com/errata/RHSA-2025:0309