Bug 1223361 (CVE-2015-3204) - CVE-2015-3204 libreswan: crafted IKE packet causes daemon restart
Summary: CVE-2015-3204 libreswan: crafted IKE packet causes daemon restart
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3204
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Jaroslav Aster
URL:
Whiteboard:
Depends On: 1226407 1226408
Blocks: 1223364
TreeView+ depends on / blocked
 
Reported: 2015-05-20 12:07 UTC by Martin Prpič
Modified: 2019-09-29 13:33 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was discovered in the way Libreswan's IKE daemon processed certain IKEv1 payloads. A remote attacker could send specially crafted IKEv1 payloads that, when processed, would lead to a denial of service (daemon crash).
Clone Of:
Environment:
Last Closed: 2015-06-23 13:15:02 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1154 normal SHIPPED_LIVE Moderate: libreswan security, bug fix and enhancement update 2015-06-23 13:09:27 UTC

Description Martin Prpič 2015-05-20 12:07:42 UTC
A flaw was discovered in the way Libreswan's IKE daemon processed certain IKEv1 payloads. A remote attacker could send specially crafted IKEv1 payloads that, when processed, would lead to a denial of service (daemon crash).

By setting unassigned bits of the IPSEC DOI value, an error message
string would be printed with string names as bit numbers. Printing 32 of
these would cause the internal buffer "bitnamesbuf" to be too small. This
buffer is truncated properly in the non-vulnerable versions. A generic
jam_str() function was added to these protections, but it would passert()
if not given at least a buffer length of 1 (to add a NULL to terminate
the string). However, the filled in string would have no more space for
the additional 1 character to be added. The passert() would cause the IKE
daemon to restart.

By setting the next payload value to ISAKMP_NEXT_SAK (used by old Cisco
VPN servers to signal NAT-Traversal payloads), the libreswan daemon would
attempt to interpret this payload as a NAT-D payload. However, it did not
properly do so, causing a passert() which would restart the IKE daemon.

This denial of service can be launched by anyone using a single IKE packet.
No authentication credentials are required. No remote code execution is
possible through this vulnerability. Libreswan automatically restarts when
it crashes.

Acknowledgements:

Red Hat would like to thank Javantea for reporting this issue.

Comment 11 errata-xmlrpc 2015-06-23 09:09:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1154 https://rhn.redhat.com/errata/RHSA-2015-1154.html


Note You need to log in before you can comment on or make changes to this bug.