Bug 1814541 (CVE-2020-1763) - CVE-2020-1763 libreswan: DoS attack via malicious IKEv1 informational exchange message
Summary: CVE-2020-1763 libreswan: DoS attack via malicious IKEv1 informational exchang...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1763
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1813392 (view as bug list)
Depends On: 1813392 1814933 1814934 1814935 1829668 1834594 1834595
Blocks: 1813909
TreeView+ depends on / blocked
 
Reported: 2020-03-18 07:45 UTC by Dhananjay Arunesh
Modified: 2021-06-16 01:18 UTC (History)
5 users (show)

Fixed In Version: libreswan 3.32
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds buffer read flaw was found in the pluto daemon of libreswan. An unauthenticated attacker could use this flaw to crash libreswan by sending specially-crafted IKEv1 Informational Exchange packets. The daemon respawns after the crash.
Clone Of:
Environment:
Last Closed: 2020-05-12 10:33:23 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2069 0 None None None 2020-05-12 07:32:59 UTC
Red Hat Product Errata RHSA-2020:2070 0 None None None 2020-05-12 08:39:26 UTC
Red Hat Product Errata RHSA-2020:2071 0 None None None 2020-05-12 07:46:49 UTC

Description Dhananjay Arunesh 2020-03-18 07:45:10 UTC 
A vulnerability was found in Libreswan in version 3.27 and before 3.32, where libreswan's pluto daemon crashes on receiving an unauthenticated malicious IKEv1 Informational Exchange packet.
Comment 1 Huzaifa S. Sidhpurwala 2020-03-19 04:12:54 UTC 
As per upstream (https://bugzilla.redhat.com/show_bug.cgi?id=1813329#c2):

offending upstream commit:

fa004e7d4b83fbeaa8d0f6d8430a96aed97a97b9 is the first bad commit
commit fa004e7d4b83fbeaa8d0f6d8430a96aed97a97b9
Author: D. Hugh Redelmeier <hugh>
Date:   Wed Sep 19 12:51:01 2018 -0400

    pluto: ikev1.c: when rejecting an unexpected payload, log the state name

 programs/pluto/ikev1.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
Comment 2 Huzaifa S. Sidhpurwala 2020-03-19 04:16:23 UTC 
Acknowledgments:

Name: Paul Wouters (Red Hat)
Comment 7 Huzaifa S. Sidhpurwala 2020-05-06 08:28:43 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 8 Huzaifa S. Sidhpurwala 2020-05-12 03:20:34 UTC 
External References:

https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt
Comment 9 Huzaifa S. Sidhpurwala 2020-05-12 03:21:32 UTC 
Created libreswan tracking bugs for this issue:

Affects: epel-6 [bug 1834595]
Affects: fedora-all [bug 1834594]
Comment 10 Huzaifa S. Sidhpurwala 2020-05-12 03:38:09 UTC 
Statement:

This flaw does not affect the version of libreswan shipped with Red Hat Enterprise Linux 6 and 7 because they did not ship the vulnerable code. (The offending commit fa004e7d4b83fbeaa8d0f6d8430a96aed97a97b9 and others was introduced in libreswan-3.27)
Comment 11 Huzaifa S. Sidhpurwala 2020-05-12 03:42:15 UTC 
Upstream patch: https://github.com/libreswan/libreswan/commit/471a3e41a449d7c753bc4edbba4239501bb62ba8
Comment 12 errata-xmlrpc 2020-05-12 07:32:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2069 https://access.redhat.com/errata/RHSA-2020:2069
Comment 13 errata-xmlrpc 2020-05-12 07:46:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2071 https://access.redhat.com/errata/RHSA-2020:2071
Comment 14 errata-xmlrpc 2020-05-12 08:39:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2070 https://access.redhat.com/errata/RHSA-2020:2070
Comment 15 Product Security DevOps Team 2020-05-12 10:33:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1763
Comment 16 Paul Wouters 2020-05-26 14:08:23 UTC 
*** Bug 1813392 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.