New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
abnormal TS payload causes pluto daemon to restart in libreswan 4.9 #954
Comments
|
I tried this and it looks like the problem has been fixed. Thank you very much !
|
|
This is apparently now known as CVE-2023-23009. 2aecf49 and 7ceef9a seem awfully verbose to fix this problem. is there a more narrowly-targeted fix that can be applied to 4.9? are versions before 4.9 vulnerable as well? the reporter suggests that versions 4.5 through 4.8 have also been tested and found vulnerable. It would be great to have a targeted fix that could be applied to older versions. |
|
For example, is this a sufficient fix? diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
index 3f7519ca38..f06c40ba46 100644
--- a/programs/pluto/ikev2_ts.c
+++ b/programs/pluto/ikev2_ts.c
@@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd,
d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc,
&ts_h, sizeof(ts_h), &ts_body_pbs);
+ if (d != NULL) {
+ llog_diag(RC_LOG, logger, &d, "%s", "");
+ return false;
+ }
+
switch (ts_h.isath_type) {
case IKEv2_TS_IPV4_ADDR_RANGE:
case IKEv2_TS_IPV6_ADDR_RANGE: |
|
yes; my recollection is that the peer has to be authenticated for this code path to be reached |
|
On Wed, 22 Feb 2023, dkg wrote:
This is apparently now known as CVE-2023-23009.
sigh
|
|
We're discussing this over at https://bugs.debian.org/1031821 |
For versions earlier than d7d415b in v4.4 I guess the patch needs to be different and using log_diag() instead. Worth mentioning as well in https://libreswan.org/security/CVE-2023-23009/CVE-2023-23009.txt ? |
|
I’ll update the CVE text and patches
Sent using a virtual keyboard on a phone
… On Mar 2, 2023, at 01:24, carnil ***@***.***> wrote:
>
> For example, is this a sufficient fix?
>
> ```diff
> diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
> index 3f7519ca38..f06c40ba46 100644
> --- a/programs/pluto/ikev2_ts.c
> +++ b/programs/pluto/ikev2_ts.c
> @@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd,
> d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc,
> &ts_h, sizeof(ts_h), &ts_body_pbs);
>
> + if (d != NULL) {
> + llog_diag(RC_LOG, logger, &d, "%s", "");
> + return false;
> + }
> +
> switch (ts_h.isath_type) {
> case IKEv2_TS_IPV4_ADDR_RANGE:
> case IKEv2_TS_IPV6_ADDR_RANGE:
> ```
For versions earlier than d7d415b in v4.4 I guess the patch needs to be different and using log_diag() instead.
Worth mentioning as well in https://libreswan.org/security/CVE-2023-23009/CVE-2023-23009.txt ?
--
Reply to this email directly or view it on GitHub:
#954 (comment)
You are receiving this because you commented.
Message ID: ***@***.***>
|
|
updated announcement and patches are now published. thanks |
|
I'm looking at the patches published at https://libreswan.org/security/CVE-2023-23009/ and i think they are correct, but the diffs themselves are malformed (not machine-interpretable). In particular, the I've also noted that the OpenPGP signatures in them have divergent validation interpretations in different OpenPGP implementations. I'm not sure whether this has to do with confusions around escaping, or trailing newlines, or something else. I don't think there's anything specific that you need to do here at the moment -- you've published sufficient information for anyone downstream to fix the issue -- but just wanted to give you a heads-up that there's probably something in your toolchain that isn't working as intended. |
|
On Fri, 3 Mar 2023, dkg wrote:
I'm looking at the patches published at https://libreswan.org/security/CVE-2023-23009/ and i think they are correct, but the diffs themselves are
malformed (not machine-interpretable). In particular, the --- lines appear to have been subject to OpenPGP's Cleartext Signature Framework's escaping
mechanism multiple times, or something like that. (even the non-signed versions of the patches seem to be malformed in this way)
I made the mistake of recreating the updated patch files from the CVE
signed text, thus copying the mangling into the patches.
This has been fixed now.
|
|
thanks, @letoams ! |
|
I just pushed missing commit so tag should show now. |
Hi, I found a bug in libreswan-4.9 which caused the pluto daemon to restart by sending several crafted IKEv2 messages to the server.
process
first, send correct IKE_SA_INIT message and IKE_AUTH message so that the IPSEC_SA and CHILD_SA are established successfully.
then, send a REKEY_CHILD_SA message with an incorrect TSi payload. specifically, the Selector Length of the Traffic Selector need to be a different value from the real length(samller or larger, it doesn't matter). This will cause a crash when the server trys to parse this payload.
my conf
conn ikev2_test
my pluto.log for parsing the REKEY_CHILD_SA message
when parsing 1 traffic selectors , the pluto restart
related code in ikev2_ts.c
I think this is the code that causes the error. When parsing an incorrect TSi payload with wrong selecter length, pbs_in_struct return early, so the ts_body_pbs is not initialized.
I also tested several other versions, it seems to have the same problem in libreswan 4.5 - 4.8
The text was updated successfully, but these errors were encountered: