Bug 1734060 - libreswan false positive on duplicate acquires leads to ignored IKE requests and packet loss
Summary: libreswan false positive on duplicate acquires leads to ignored IKE requests ...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libreswan
Version: 7.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: BaseOS QE Security Team
Depends On: 1734058 1822580
TreeView+ depends on / blocked
Reported: 2019-07-29 14:34 UTC by Paul Wouters
Modified: 2020-11-14 08:47 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1734058
Last Closed: 2020-10-20 02:07:03 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Paul Wouters 2019-07-29 14:34:55 UTC
+++ This bug was initially created as a clone of Bug #1734058 +++

There are some (as of yet unknown) scenario's where pluto receives a kernel ACQUIRE for which it already detects it has a valid STATE object. Thus, it interprets these as a "duplicate acquire" and no action is taken. However, the state found does not belong to a valid IPsec SA, and so the tunnel is down and cannot be started because it is deemed up based on the "duplicate" check.

When this happens, packets are dropped for a lack of IPsec SA - or leaked in the clear, depending on whether this was a "private" or "private-or-clear" group state.

Comment 4 Paul Wouters 2020-10-20 02:07:03 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7.9 because it is seen either as a low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; this issue is known to have been addressed in Red Hat Enterprise Linux 8.

Note You need to log in before you can comment on or make changes to this bug.