Bug 1050245 (CVE-2013-6467) - CVE-2013-6467 libreswan: dereferencing missing IKEv2 payloads causes pluto daemon to restart
Summary: CVE-2013-6467 libreswan: dereferencing missing IKEv2 payloads causes pluto da...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-6467
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1050345 1058387 1058388
Blocks: 1050315
TreeView+ depends on / blocked
 
Reported: 2014-01-08 21:37 UTC by Kurt Seifried
Modified: 2021-02-17 07:01 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-28 06:04:17 UTC
Embargoed:


Attachments (Terms of Use)

Description Kurt Seifried 2014-01-08 21:37:49 UTC
Paul Wouters of Red Hat reports:

The Libreswan Project was notified by Iustina Melinte of a vulnerability
regarding dereferencing of non-received IKEv2 payloads. This allows
a malicious non-authenticated remote user to cause the libreswan IKE
daemon to restart.

Vulnerable versions: libreswan up to version 3.7
Not vulnerable     : libreswan 3.8

If you cannot upgrade to 3.8, please see the above link for a patch for this issue.

All versions of openswan including 2.6.39 are also vulnerable to this bug, see CVE-2013-6466

Vulnerability information
--------------------------

Iustina Melinte used a custom IKE fuzzer to test libreswan. By withholding
or renumbering certain IKEv2 payloads, the pluto IKE daemon crashes while
trying to dereference a NULL pointer on the presumably received payload.

Configurations that only allow IKEv1 are not vulnerable.

Exploitation
-------------

This denial of service can be launched by anyone using a few mangled
IKEv2 packets. No authentication credentials are required. No remote code
execution is possible through this vulnerability. Libreswan automatically
restarts when it crashes. Please note that this will also cause existing 
connections to drop.

Workaround
-----------

When not requiring or using IKEv2, adding the keyword ikev2=never to
all connections enforced that only IKEv1 can be used. This prevents the
affected code from being called. The default value for ikev2= is "yes",
meaning that IKEv2 is allowed and the affected code can be triggered causing
a denial-of-service. 

Credits
--------

This vulnerability was found by Iustina Melinte. The Libreswan Project is
especially thankful for Iustina's assistance with the IKE fuzzer software.

Comment 3 Vincent Danen 2014-01-27 17:08:37 UTC
External References:

https://libreswan.org/security/CVE-2013-6467/CVE-2013-6467.txt

Comment 4 Vincent Danen 2014-01-27 17:22:25 UTC
Created libreswan tracking bugs for this issue:

Affects: fedora-all [bug 1058387]
Affects: epel-6 [bug 1058388]


Note You need to log in before you can comment on or make changes to this bug.