-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Release date: Wednesday, May 3, 2023
Contact: security@libreswan.org
PGP key: 907E790F25C1E8E561CD73B585FF4B43B30FC6F9

===========================================================================
CVE-2023-30570: Malicious IKEv1 Aggressive Mode packets can crash libreswan
===========================================================================

This alert (and any updates) are available at the following URLs:
https://libreswan.org/security/CVE-2023-30570/

The Libreswan Project was notified by github user "XU-huai" of an
issue with receiving a malformed IKEv1 Aggressive Mode packet that
would cause a crash and restart of the libreswan pluto daemon. When
sent continuously, this could lead to a denial of service attack.

Vulnerable versions : libreswan 3.28 - 4.10
Not vulnerable      : libreswan 3.0 - 3.27, 4.11+

Vulnerability information
=========================
When an IKEv1 Aggressive Mode packet is received with only unacceptable
crypto algorithms, the response packet is not sent with a zero responder
SPI. When a subsequent packet is received where the sender re-uses the
libreswan responder SPI, the pluto daemon state machine crashes. No
remote code execution is possible.

Exploitation
============
This vulnerability requires that pluto is configured with at least one
potentially matching IKEv1 Aggressive Mode connection. Per default,
pluto only accepts IKEv2 packets. When IKEv1 is enabled, only Main Mode
packets are accepted unless the connection is configured explicitely
with aggressive=yes or via its older name aggrmode=yes.

When an IKEv1 Aggressive Mode connection is enabled, a malicious peer
needs to send an IKEv1 Aggressive Mode packet with an unsupported
algorithm, such as DH2.  Then the malicious peer needs to be able to
receive the reply so it can resend the packet with the received responder
SPI added to cause the libreswan pluto daemon to crash and restart.

The vulnerable code has been in the code base since 2003 (then still
named "openswan") but only became reachable since an IKEv1 Aggressive
Mode change that was introduced in libreswan 3.28.

Workaround
==========
IKEv1 Aggressive Mode connections could be converted to IKEv2 or IKEv1 Main Mode
connections. If this is not feasable, patching or upgrading is the only other
alternative.

History
=======
* 2003 Vulnerable code introduced in openswan-1.0.0 but unreachable
* 2022-04-25 IKEv1 Aggresive Mode change caused vulnerable code to be reachable
* 2023-03-16 Initial report via https://github.com/libreswan/libreswan/issues/1039
* 2023-04-16 Prerelease of CVE notification and patches to support customers
* 2023-05-03 Release of patch and libreswan 4.11

Credits
=======
This vulnerability was found and reported by github user XU-huai

Upgrading
=========
To address this vulnerability, please upgrade to libreswan 4.11 or later.
For those who cannot upgrade, patches are provided at the above URL.


About libreswan (https://libreswan.org/)
========================================
Libreswan is a free implementation of the Internet Key Exchange (IKE)
protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of
openswan 2.6.38. IKE is used to establish IPsec VPN connections.

IPsec uses strong cryptography to provide both authentication and
encryption services. These services allow you to build secure tunnels
through untrusted networks. Everything passing through the untrusted
network is encrypted by the IPsec gateway machine, and decrypted by
the gateway at the other end of the tunnel. The resulting tunnel is a
virtual private network (VPN).

Patches
=======
Due to the size of the patch, it is not included inline to this advisory.
-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmRSzNYTHHRlYW1AbGli
cmVzd2FuLm9yZwAKCRCF/0tDsw/G+Z88D/9YuPoEvk7cMrSN7jV0z9liNiAR/gYB
gj8CjXkIw4mNaQIcpvhArlFMYov0MXh+nOJDiALx6/dsb6nvgzg/vvVOSU5jSRtg
cEC8STA/rvLRSlj5mChKNAayVUmSgOxSg4AFr6zvG+/iQzC3vT2mlmwLXVKw5F+n
Nn00Ov1EklqCRlSBUYhuKY2zyhRfxPajZW9s8VcKiUs36qzTjjp/EsUTln3uNHk4
nFIL+6cxEkUIVKtfZVpoB/zLg73tsnUEAdKeXl0H3BqLLohrbkPNEYh7HZsxrD1v
g8Z/omf41wfN9p/JJkMK84qN55Nis90TiU5esf4gnl0vOf1dH4vMd7a082ee07UC
wPeDL2zpxviIGdnFFzXOnlj88Xa7FsAcB7XU5wcpQcN9GFn8YbiSQvRbKFrrmpNf
10JXYPbMTze8QdrXI4E6mXGbgs9i4BxqYNrSFv0Xuyth+LSAL499adH+SZcG0kc2
XiQ1ZmGqBtQg68CPUdhuP1C4mixwTZ6wJQOyZlagebTDgJVPx52aSYAqoeakTzJ5
YpnVsYBbZXRZTvRasR9sdLp6ZiIzmIy3TF40GwoKvVWKburAaLp53FW2/s5Tvb5G
BzlFcusnGd4xteUQklfOow4NJZZxUlEljQgu+yKZaNziYngaFwsy/shfM3STNlth
1mSorpVmVanqiw==
=DgY+
-----END PGP SIGNATURE-----
