-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Release date: Monday Jun 4, 2019
Contact: team@libreswan.org
PGP key: 907E790F25C1E8E561CD73B585FF4B43B30FC6F9

CVE-2019-12312: IKEv2 bogus Informational Exchange request can cause NULL pointer dereference

This alert (and any possible updates) is available at the following URLs:
https://libreswan.org/security/CVE-2019-12312/

The Libreswan Project was notified by user GuoJiaXing-Lab124 on github
of a bug in handling bogus encrypted INFORMATIONAL packet requests sent
before the IKE_AUTH exchange has completed. These packets are bogus,
and libreswan attempted to send an encrypted error message without having
an encryption key due to the skipped IKE_AUTH exchange. This resulted
in a NULL pointer dereference, causing libreswan to crash and restart.

As the impact of this vulnerability was deemed low, no CVE was requested
for this vulnerability. The Libreswan Projected was notified about a CVE
entry for this issue with minimal and partially incorrect information
which lead to this announcement for CVE-2019-12312 which MITR can
hopefully use to replace the original CVE submission text.

Vulnerable versions: libreswan 3.27
Not vulnerable     : libreswan 3.0 - 3.26, 3.28 and later

Vulnerability information
=========================
The IKEv2 protocol in normal operation starts out with an IKE_SA_INIT
packet exchange, followed by an IKE_AUTH packet exchange. They IKE_AUTH
exchange is encrypted with key material derived from the initial
Diffie-Hellman key exchange values in IKE_SA_INIT called SKEYSEED.

When libreswan received an IKE_SA_INIT, followed by an INFORMATIONAL
exchange instead of an IKE_AUTH exchange, it would reject this bogus
exchange. During the error path, it attempted to send an error, which for
an INFORMATIONAL exchange would be encrypted. However, since IKE_AUTH
had not completed, no proper encryption keys had been installed yet,
and encryption of the error message would fail due to a NULL pointer
dereference. libreswan would crash and restart.

Exploitation
============
By continuing to send these packets, a denial of service attack is possible.
This vulnerability cannot be abused for a remote code execution.

Workaround
==========
A possible workaround is to reconfigure IKEv2 connections to use IKEv1,
using the keyword ikev2=never. However, this must be supported and
allowed by the IKE peer as well. It is recommended to upgrade or patch
libreswan instead of downgrading to IKEv1.

History
=======
- - 2019-05-12 Issue reported via github at https://github.com/libreswan/libreswan/issues/246
- - 2019-05-14 Issue fixed in git master - no CVE was deemed required
- - 2019-05-?? CVE issue requested by an unknown entity
             (neither requester nor MITR contacted The Libreswan Project for verification)
- - 2019-05-24 CVE-2019-12312 published by MITR
- - 2019-06-03 The Libreswan Project informed of CVE-2019-12312 by Daniel Kahn Gillmor
- - 2019-06-04 This CVE announcement posted by The Libreswan Project.

Credits
=======
This vulnerability was found and reported by github user GuoJiaXing-Lab124

Upgrading
=========
To address this vulnerability, please upgrade to libreswan 3.28 or later.
For those who cannot upgrade, a patch is provided at the above URL. The
patch has also been included below for reference.

About libreswan (https://libreswan.org/)
========================================
Libreswan is a free implementation of the Internet Key Exchange (IKE)
protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of
openswan 2.6.38. IKE is used to establish IPsec VPN connections.

IPsec uses strong cryptography to provide both authentication and
encryption services. These services allow you to build secure tunnels
through untrusted networks. Everything passing through the untrusted
network is encrypted by the IPsec gateway machine, and decrypted by
the gateway at the other end of the tunnel. The resulting tunnel is a
virtual private network (VPN).


Patch
=====
diff -Naur libreswan-3.27-orig/programs/pluto/ikev2_send.c libreswan-3.27/programs/pluto/ikev2_send.c
- --- libreswan-3.27-orig/programs/pluto/ikev2_send.c	2018-10-07 22:52:09.000000000 -0400
+++ libreswan-3.27/programs/pluto/ikev2_send.c	2019-06-03 19:17:39.951046484 -0400
@@ -407,6 +407,17 @@
 				     chunk_t *ndata)
 {
 	passert(md != NULL); /* always a reply */
+
+	/*
+	 * The caller must have computed DH and SKEYSEED; but may not
+	 * have authenticated (i.e., don't assume that the IKE SA has
+	 * "established").
+	 */
+	if (!pst->hidden_variables.st_skeyid_calculated) {
+		loglog(RC_LOG_SERIOUS, "Cannot send an encrypted response without SKEYSEED, dropping packet");
+		return;
+	}
+
 	const char *const notify_name = enum_short_name(&ikev2_notify_names, ntype);
 
 	enum isakmp_xchg_types exchange_type = md->hdr.isa_xchg;
======================================================================
-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAlz2mcQTHHRlYW1AbGli
cmVzd2FuLm9yZwAKCRCF/0tDsw/G+WqND/0U4W9g4U+wycP4SbDGF7ML7zzjnBWF
qX9Ii7NCMw8pP2uNSt0DvZHwrsMFnpIPD6PuF7vNC9N9V6jDE4eltIfVG1xm6lAd
GAjwMExzWJ41IuFkvC5Ibv1KlRqP0Tl/rIGYC+JnigIrkuZNqYzNuQKfICpz/liQ
U3DHNBfApS+1JzX8KME/+NAtzlsa5ifTDb+NyPk8P3YC/D+BIa8Eu0XALdJ+SSgP
lZ2Ovopgyq4NsjgjajTxNRh1PRd1oNsfher7CePlE5ukjCViLwJVCjU8d6waTsZ9
XmQ1ubahFlMz0q/cpxUfqdxke9cs4PIolzOOH7kxGed+xUngfzaYa06Z5/7hVvlK
lGNIOeOXYScYkZIaLfzk10dUOoQPoWT4k0Vh/Npm961xZQEUilcsI2XPlzH08wqC
oPtuCAPVxkdjTJTfuiEZmSoE3dKyk5Fr60bMTt3e+QtHdhgwcA2XsFaK+eZfIqaq
U+QpDya3YS4ulYOMYqUYN8AtT1k7V683thUY1HDPBzWHN/eFk5S0l/7LMM48q11t
OxHBGJcP8/bkvSio6yuGbsI/Hwei5Wg6Ue/zVhD1cf3ojGOdRCR1juOB3vCYY6Ra
zXKnb4KeAVSSUW126RumrkbWskZXrnPExN3LYxXdZ8P0T3o/GyNRKStuLz1q+J4e
UF7211pGfjtqRw==
=LBA3
-----END PGP SIGNATURE-----
