A flaw was discovered in the way Libreswan's IKE daemon processed certain IKEv1 payloads. A remote attacker could send specially crafted IKEv1 payloads that, when processed, would lead to a denial of service (daemon crash). By setting unassigned bits of the IPSEC DOI value, an error message string would be printed with string names as bit numbers. Printing 32 of these would cause the internal buffer "bitnamesbuf" to be too small. This buffer is truncated properly in the non-vulnerable versions. A generic jam_str() function was added to these protections, but it would passert() if not given at least a buffer length of 1 (to add a NULL to terminate the string). However, the filled in string would have no more space for the additional 1 character to be added. The passert() would cause the IKE daemon to restart. By setting the next payload value to ISAKMP_NEXT_SAK (used by old Cisco VPN servers to signal NAT-Traversal payloads), the libreswan daemon would attempt to interpret this payload as a NAT-D payload. However, it did not properly do so, causing a passert() which would restart the IKE daemon. This denial of service can be launched by anyone using a single IKE packet. No authentication credentials are required. No remote code execution is possible through this vulnerability. Libreswan automatically restarts when it crashes. Acknowledgements: Red Hat would like to thank Javantea for reporting this issue.
External References: https://libreswan.org/security/CVE-2015-3204/CVE-2015-3204.txt https://libreswan.org/security/CVE-2015-3204/CVE-2015-3204-libreswan.patch
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1154 https://rhn.redhat.com/errata/RHSA-2015-1154.html