Bug 2225368 (CVE-2023-38710) - CVE-2023-38710 libreswan: Invalid IKEv2 REKEY proposal causes restart [NEEDINFO]
Summary: CVE-2023-38710 libreswan: Invalid IKEv2 REKEY proposal causes restart
Keywords:
Status: NEW
Alias: CVE-2023-38710
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2215955 2215956 2230238
Blocks: 2225370
TreeView+ depends on / blocked
 
Reported: 2023-07-25 05:37 UTC by TEJ RATHI
Modified: 2025-01-14 10:45 UTC (History)
3 users (show)

Fixed In Version: libreswan 4.12
Clone Of:
Environment:
Last Closed:
Embargoed:
paul.wouters: needinfo? (trathi)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:6549 0 None None None 2023-11-07 08:19:20 UTC
Red Hat Product Errata RHSA-2023:7052 0 None None None 2023-11-14 15:19:23 UTC
Red Hat Product Errata RHSA-2024:10594 0 None None None 2024-12-02 01:17:02 UTC
Red Hat Product Errata RHSA-2025:0309 0 None None None 2025-01-14 10:45:16 UTC

Description TEJ RATHI 2023-07-25 05:37:12 UTC 
When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart.

https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt
Comment 1 TEJ RATHI 2023-07-25 06:04:16 UTC 
Vulnerable versions : libreswan 3.20 - 4.11 
Not vulnerable      : libreswan 3.0 - 3.19, 4.12+

Vulnerable code was introduced in libreswan v3.20
Comment 2 TEJ RATHI 2023-08-09 05:29:23 UTC 
This CVE is now public by upstream:

https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt
https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.patch
Comment 3 TEJ RATHI 2023-08-09 05:39:37 UTC 
Created libreswan tracking bugs for this issue:

Affects: fedora-all [bug 2230238]
Comment 4 errata-xmlrpc 2023-11-07 08:19:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6549 https://access.redhat.com/errata/RHSA-2023:6549
Comment 5 errata-xmlrpc 2023-11-14 15:19:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7052 https://access.redhat.com/errata/RHSA-2023:7052
Comment 6 Paul Wouters 2024-06-23 01:11:41 UTC 
this bug should be closed (can't see all the things it depends on but based on fedora and the above RHEL 8/9, seems like all the work was done)
Comment 7 errata-xmlrpc 2024-12-02 01:17:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:10594 https://access.redhat.com/errata/RHSA-2024:10594
Comment 8 errata-xmlrpc 2025-01-14 10:45:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:0309 https://access.redhat.com/errata/RHSA-2025:0309
Note You need to log in before you can comment on or make changes to this bug.