Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-30570

pluto in Libreswan before 4.11 allows a denial of service (responder SPI mishandling and daemon crash) via unauthenticated IKEv1 Aggressive Mode packets. The earliest affected version is 3.28.

CVE
#vulnerability#mac#dos#js#git#rce#auth

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Release date: Wednesday, May 3, 2023 Contact: [email protected] PGP key: 907E790F25C1E8E561CD73B585FF4B43B30FC6F9 =========================================================================== CVE-2023-30570: Malicious IKEv1 Aggressive Mode packets can crash libreswan =========================================================================== This alert (and any updates) are available at the following URLs: https://libreswan.org/security/CVE-2023-30570/ The Libreswan Project was notified by github user “XU-huai” of an issue with receiving a malformed IKEv1 Aggressive Mode packet that would cause a crash and restart of the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack. Vulnerable versions : libreswan 3.28 - 4.10 Not vulnerable : libreswan 3.0 - 3.27, 4.11+ Vulnerability information ========================= When an IKEv1 Aggressive Mode packet is received with only unacceptable crypto algorithms, the response packet is not sent with a zero responder SPI. When a subsequent packet is received where the sender re-uses the libreswan responder SPI, the pluto daemon state machine crashes. No remote code execution is possible. Exploitation ============ This vulnerability requires that pluto is configured with at least one potentially matching IKEv1 Aggressive Mode connection. Per default, pluto only accepts IKEv2 packets. When IKEv1 is enabled, only Main Mode packets are accepted unless the connection is configured explicitely with aggressive=yes or via its older name aggrmode=yes. When an IKEv1 Aggressive Mode connection is enabled, a malicious peer needs to send an IKEv1 Aggressive Mode packet with an unsupported algorithm, such as DH2. Then the malicious peer needs to be able to receive the reply so it can resend the packet with the received responder SPI added to cause the libreswan pluto daemon to crash and restart. The vulnerable code has been in the code base since 2003 (then still named “openswan”) but only became reachable since an IKEv1 Aggressive Mode change that was introduced in libreswan 3.28. Workaround ========== IKEv1 Aggressive Mode connections could be converted to IKEv2 or IKEv1 Main Mode connections. If this is not feasable, patching or upgrading is the only other alternative. History ======= * 2003 Vulnerable code introduced in openswan-1.0.0 but unreachable * 2022-04-25 IKEv1 Aggresive Mode change caused vulnerable code to be reachable * 2023-03-16 Initial report via https://github.com/libreswan/libreswan/issues/1039 * 2023-04-16 Prerelease of CVE notification and patches to support customers * 2023-05-03 Release of patch and libreswan 4.11 Credits ======= This vulnerability was found and reported by github user XU-huai Upgrading ========= To address this vulnerability, please upgrade to libreswan 4.11 or later. For those who cannot upgrade, patches are provided at the above URL. About libreswan (https://libreswan.org/) ======================================== Libreswan is a free implementation of the Internet Key Exchange (IKE) protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of openswan 2.6.38. IKE is used to establish IPsec VPN connections. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN). Patches ======= Due to the size of the patch, it is not included inline to this advisory. -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmRSzNYTHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+Z88D/9YuPoEvk7cMrSN7jV0z9liNiAR/gYB gj8CjXkIw4mNaQIcpvhArlFMYov0MXh+nOJDiALx6/dsb6nvgzg/vvVOSU5jSRtg cEC8STA/rvLRSlj5mChKNAayVUmSgOxSg4AFr6zvG+/iQzC3vT2mlmwLXVKw5F+n Nn00Ov1EklqCRlSBUYhuKY2zyhRfxPajZW9s8VcKiUs36qzTjjp/EsUTln3uNHk4 nFIL+6cxEkUIVKtfZVpoB/zLg73tsnUEAdKeXl0H3BqLLohrbkPNEYh7HZsxrD1v g8Z/omf41wfN9p/JJkMK84qN55Nis90TiU5esf4gnl0vOf1dH4vMd7a082ee07UC wPeDL2zpxviIGdnFFzXOnlj88Xa7FsAcB7XU5wcpQcN9GFn8YbiSQvRbKFrrmpNf 10JXYPbMTze8QdrXI4E6mXGbgs9i4BxqYNrSFv0Xuyth+LSAL499adH+SZcG0kc2 XiQ1ZmGqBtQg68CPUdhuP1C4mixwTZ6wJQOyZlagebTDgJVPx52aSYAqoeakTzJ5 YpnVsYBbZXRZTvRasR9sdLp6ZiIzmIy3TF40GwoKvVWKburAaLp53FW2/s5Tvb5G BzlFcusnGd4xteUQklfOow4NJZZxUlEljQgu+yKZaNziYngaFwsy/shfM3STNlth 1mSorpVmVanqiw== =DgY+ -----END PGP SIGNATURE-----

Related news

Red Hat Security Advisory 2023-3148-01

Red Hat Security Advisory 2023-3148-01 - Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network.

RHSA-2023:3148: Red Hat Security Advisory: libreswan security update

An update for libreswan is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-2295: A vulnerability was found in the libreswan library. This security issue occurs when an IKEv1 Aggressive Mode packet is received with only unacceptable crypto algorithms, and the response packet is not sent with a zero responder SPI. When a subsequent packet is received where the sender reuses the libreswan responder SPI as its own initiator SPI...

RHSA-2023:3107: Red Hat Security Advisory: libreswan security update

An update for libreswan is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-2295: A vulnerability was found in the libreswan library. This security issue occurs when an IKEv1 Aggressive Mode packet is received with only unacceptable crypto algorithms, and the response packet is not sent with a zero responder SPI. When a subsequent packet is received where the sender reuses the libreswan responder SPI as its own initiator SPI...

Red Hat Security Advisory 2023-2126-01

Red Hat Security Advisory 2023-2126-01 - Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network.

Red Hat Security Advisory 2023-2124-01

Red Hat Security Advisory 2023-2124-01 - Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network.

Red Hat Security Advisory 2023-2122-01

Red Hat Security Advisory 2023-2122-01 - Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network.

Red Hat Security Advisory 2023-2120-01

Red Hat Security Advisory 2023-2120-01 - Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network.

RHSA-2023:2124: Red Hat Security Advisory: libreswan security update

An update for libreswan is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30570: A vulnerability was found in the libreswan library. This security issue occurs when an IKEv1 Aggressive Mode packet is received with only unacceptable crypto algorithms, and the response ...

RHSA-2023:2121: Red Hat Security Advisory: libreswan security update

An update for libreswan is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30570: A vulnerability was found in the libreswan library. This security issue occurs when an IKEv1 Aggressive Mode packet is received with only unacceptable crypto algorithms, and the response packet is not sent with a zero responder SPI. When a subsequent packet is received where the sender reuses the libreswan responder S...

RHSA-2023:2120: Red Hat Security Advisory: libreswan security update

An update for libreswan is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30570: A vulnerability was found in the libreswan library. This security issue occurs when an IKEv1 Aggressive Mode packet is received with only unacceptable crypto algorithms, and the response packet is not sent with a zero responder SPI. When a subsequent packet is received where the sender reuses the libreswan responder SPI as its own initiator SP...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907