2225368 – (CVE-2023-38710) CVE-2023-38710 libreswan: Invalid IKEv2 REKEY proposal causes restart

Bug 2225368 (CVE-2023-38710) - CVE-2023-38710 libreswan: Invalid IKEv2 REKEY proposal causes restart

Summary: CVE-2023-38710 libreswan: Invalid IKEv2 REKEY proposal causes restart

Keywords:
Status:	NEW
Alias:	CVE-2023-38710
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2215955 2215956 2230238
Blocks:	2225370
TreeView+	depends on / blocked

Reported:	2023-07-25 05:37 UTC by TEJ RATHI
Modified:	2023-08-16 05:40 UTC (History)
CC List:	2 users (show)
Fixed In Version:	libreswan 4.12
Doc Type:	If docs needed, set a value
Doc Text:	An assertion failure flaw was found in the Libreswan package that occurs when processing IKEv2 REKEY requests. When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notification INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3). This flaw allows a malicious client or attacker to send a malformed IKEv2 REKEY packet, causing a crash and restarting the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2023-07-25 05:37:12 UTC

When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart.

https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt

Comment 1 TEJ RATHI 2023-07-25 06:04:16 UTC

Vulnerable versions : libreswan 3.20 - 4.11 
Not vulnerable      : libreswan 3.0 - 3.19, 4.12+

Vulnerable code was introduced in libreswan v3.20

Comment 2 TEJ RATHI 2023-08-09 05:29:23 UTC

This CVE is now public by upstream:

https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt
https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.patch

Comment 3 TEJ RATHI 2023-08-09 05:39:37 UTC

Created libreswan tracking bugs for this issue:

Affects: fedora-all [bug 2230238]

Note You need to log in before you can comment on or make changes to this bug.