Bug 1716918 (CVE-2019-12312) - CVE-2019-12312 libreswan: null-pointer dereference by sending two IKEv2 packets
Summary: CVE-2019-12312 libreswan: null-pointer dereference by sending two IKEv2 packets
Keywords:
Status: NEW
Alias: CVE-2019-12312
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1716920 1716921 1716924 1716925
Blocks: 1716919
TreeView+ depends on / blocked
 
Reported: 2019-06-04 12:05 UTC by Dhananjay Arunesh
Modified: 2019-09-29 15:14 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-06-04 12:05:06 UTC
In Libreswan before 3.28, an assertion failure can lead to a pluto IKE daemon restart. An attacker can trigger a NULL pointer dereference by sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode to a Libreswan server. This affects send_v2N_spi_response_from_state in programs/pluto/ikev2_send.c when built with Network Security Services (NSS).

Reference:
https://github.com/libreswan/libreswan/issues/246

Upstream commit:
https://github.com/libreswan/libreswan/compare/9b1394e...3897683

Comment 1 Dhananjay Arunesh 2019-06-04 12:08:09 UTC
Created strongswan tracking bugs for this issue:

Affects: epel-all [bug 1716920]

Comment 2 Dhananjay Arunesh 2019-06-04 12:08:39 UTC
Created libreswan tracking bugs for this issue:

Affects: epel-6 [bug 1716921]

Comment 3 Dhananjay Arunesh 2019-06-04 12:09:41 UTC
Created libreswan tracking bugs for this issue:

Affects: fedora-all [bug 1716924]


Created strongswan tracking bugs for this issue:

Affects: fedora-all [bug 1716925]

Comment 4 Paul Wouters 2019-06-04 13:13:10 UTC
correction: only version 3.27 is vulnerable. versions older and later are not vulnerable.

See https://libreswan.org/security/CVE-2019-12312/CVE-2019-12312.txt

Comment 5 Paul Wouters 2019-06-04 13:15:03 UTC
why were strongswan bugs created for this? strongswan is not known to be vulnerable. We did not test it for this. The code involved in libreswan was never part of strongswan


Note You need to log in before you can comment on or make changes to this bug.