The Libreswan Project has found a vulnerability in the processing of IKEv1 informational exchange packets which are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value was not verified. Bugzilla issue: https://bugzilla.redhat.com/show_bug.cgi?id=1713512
Acknowledgments: Name: team (Libreswan Project)
External References: https://libreswan.org/security/CVE-2019-10155/
Upstream Patch: https://libreswan.org/security/CVE-2019-10155/CVE-2019-10155.patch
Created libreswan tracking bugs for this issue: Affects: epel-6 [bug 1719334]
Created libreswan tracking bugs for this issue: Affects: fedora-all [bug 1719335]
note: fedora versions were already in updates-testing before this bug was created (see rhbz#1718986)
Reference: https://libreswan.org/security/CVE-2019-10155/
Mitigation: If all IKE peers support IKEv2, it is possible to reconfigure IKEv1 connections to use IKEv2 via the "ikev2=insist" keyword.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3391 https://access.redhat.com/errata/RHSA-2019:3391
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10155