Bug 2225368 (CVE-2023-38710)

Summary: CVE-2023-38710 libreswan: Invalid IKEv2 REKEY proposal causes restart
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dueno, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libreswan 4.12 Doc Type: If docs needed, set a value
Doc Text:
An assertion failure flaw was found in the Libreswan package that occurs when processing IKEv2 REKEY requests. When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notification INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3). This flaw allows a malicious client or attacker to send a malformed IKEv2 REKEY packet, causing a crash and restarting the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2215955, 2215956, 2230238    
Bug Blocks: 2225370    

Description TEJ RATHI 2023-07-25 05:37:12 UTC 
When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart.

https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt
Comment 1 TEJ RATHI 2023-07-25 06:04:16 UTC 
Vulnerable versions : libreswan 3.20 - 4.11 
Not vulnerable      : libreswan 3.0 - 3.19, 4.12+

Vulnerable code was introduced in libreswan v3.20
Comment 2 TEJ RATHI 2023-08-09 05:29:23 UTC 
This CVE is now public by upstream:

https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt
https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.patch
Comment 3 TEJ RATHI 2023-08-09 05:39:37 UTC 
Created libreswan tracking bugs for this issue:

Affects: fedora-all [bug 2230238]