
Release date: Monday, August 8, 2023
Contact: security@libreswan.org
PGP key: 907E790F25C1E8E561CD73B585FF4B43B30FC6F9

===========================================================================
CVE-2023-38712: Invalid IKEv1 repeat IKE SA delete causes crash and restart
===========================================================================

This alert (and any updates) are available at the following URLs:
https://libreswan.org/security/CVE-2023-38712/

The Libreswan Project was notified by "X1AOxiang" of an issue with
receiving a malformed IKEv1 Delete/Notify packet would cause a crash
and restart of the libreswan pluto daemon. When sent continuously,
this could lead to a denial of service attack.

Severity: Medium
Vulnerable versions : libreswan 3.00 - 4.11
Not vulnerable      : libreswan 4.12+

Vulnerability information
=========================
When an IKEv1 ISAKMP SA Informational Exchange packet contains a
Delete/Notify payload followed by further Notifies that act on the ISAKMP
SA, such as a duplicated Delete/Notify message, a null pointer dereference
on the deleted state causes the pluto daemon to crash and restart.

Exploitation
============
IKEv1 Delete/Notify requests are only processed when received from authenticated
peers, limiting the scope of possible attackers to peers who have successfully
authenticated.

Workaround
==========
There is no workarounds, please apply the supplied patches or upgrade.

History
=======
* 2013 Vulnerable code was present in the first release of libreswan, 3.0
       (likely the same vulnerability exists in all openswan versions)
* 2023-06-07 Report received via Red Hat
* 2023-07-19 Prerelease of CVE notification and patches to support customers
* 2023-08-04 Release of patch and libreswan 4.12

Credits
=======
This vulnerability was found and reported by X1AOxiang to Red Hat. Thanks to
Daiki Ueno for contacting the Libreswan Project.

Upgrading
=========
To address this vulnerability, please upgrade to libreswan 4.12 or later.
For those who cannot upgrade, patches are provided at the above URL.


About libreswan (https://libreswan.org/)
========================================
Libreswan is a free implementation of the Internet Key Exchange (IKE)
protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of
openswan 2.6.38. IKE is used to establish IPsec VPN connections.

IPsec uses strong cryptography to provide both authentication and
encryption services. These services allow you to build secure tunnels
through untrusted networks. Everything passing through the untrusted
network is encrypted by the IPsec gateway machine, and decrypted by
the gateway at the other end of the tunnel. The resulting tunnel is a
virtual private network (VPN).

Patches
=======
Due to the size of the patches, it is not included inline to this advisory,
but are available at https://libreswan.org/security/CVE-2023-38712/
