New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NULL pointer dereference and pluto daemon restart in Libreswan 3.27 #246
Comments
This is #246 Signed-off-by: D. Hugh Redelmeier <hugh@mimosa.com>
|
Hi,we pushed a fix for this in commit 7142d2c Would you be able to test this for us? |
|
note an updated fix was pushed, including a test case to reproduce this. will be in 3.28 |
|
fixed and released in 3.28. Thanks for the report! |
|
btw, this seems to be CVE-2019-12312 |
|
On Mon, 3 Jun 2019, dkg wrote:
btw, this seems to be CVE-2019-12312
Yes, I found out today someone issued a rogue CVE, and MITR still doesn't
bother contacting the vendor.
Paul
|
Which of the fixes are needed beyond 7142d2c? I've backported 7142d2c to 3.27 (see this patch), but i am concerned that there is some other subtle fix that i've missed. |
|
A patch along with the libreswan response to the CVE submitted will be published at https://libreswan.org/security/CVE-2019-12312/ shortly |
|
I've uploaded 3.27-5 to debian with this patch |
|
For full information see https://libreswan.org/security/CVE-2019-12312/ |
Hello, I triggered a vulnerability while testing the Libreswan 3.27 IKEv2 server.
The pluto IKE daemon will restart (due to NULL pointer dereference when built with NSS) by sending two IKEv2 packets which are init_IKE and delete_IKE in 3des_cbc mode to Libreswan server.
A detailed interactive process is as follows:
First, send the first init_IKE message to the server.
The server replies the init_IKE message to the client.
Then send a delete_IKE message (encrypted) to the server.
The server tries to respond INVALID_IKE_SPI to the client, but an exception occurred while preparing to encrypt the message.
#### detailed packets
Relevant log
My ipsec.conf
Looking forward to your reply, thank you.
The text was updated successfully, but these errors were encountered: