
Release date: Monday, August 8, 2023
Contact: security@libreswan.org
PGP key: 907E790F25C1E8E561CD73B585FF4B43B30FC6F9

===========================================================================
CVE-2023-38711: Invalid IKEv1 Quick Mode ID causes restart
===========================================================================

This alert (and any patch files and updates) are available at:
https://libreswan.org/security/CVE-2023-38711/

The Libreswan Project was notified by "X1AOxiang" of an issue with
receiving a malformed IKEv1 Quick Mode packet which would cause a crash
and restart of the libreswan pluto daemon. When sent continuously,
this could lead to a denial of service attack.

Severity: Medium
Vulnerable versions : libreswan 4.6 - 4.11
Not vulnerable      : libreswan 3.0 - 4.5, 4.12+

Vulnerability information
=========================
When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or
ID_IPV6_ADDR, receives an IDcr payload with ID_FQDN, a null pointer
dereference causes a crash and restart of the pluto daemon.

Exploitation
============
IKEv1 Quick Mode requests are only processed when received from
authenticated peers, limiting the scope of possible attackers to peers
who have successfully authenticated.

Workaround
==========
There is no workarounds, although in general IKEv1 users are recommended
to migrate to IKEv2 (see also RFC 9395: Deprecation of IKE Version 1).
Please apply the supplied patches or upgrade.

History
=======
* 2021-10-09 Vulnerable code introduced in libreswan 4.6
* 2023-06-18 Report received via https://github.com/libreswan/libreswan/issues/1172
* 2023-07-19 Prerelease of CVE notification and patches to support customers
* 2023-08-04 Updated patch based on feedback by Wolfgang Nothdurft <wolfgang@linogate.de>
* 2023-08-04 Release of patch and libreswan 4.12

Credits
=======
This vulnerability was found and reported by X1AOxiang.

Upgrading
=========
To address this vulnerability, please upgrade to libreswan 4.12 or later.
For those who cannot upgrade, patches are provided at the above URL.


About libreswan (https://libreswan.org/)
========================================
Libreswan is a free implementation of the Internet Key Exchange (IKE)
protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of
openswan 2.6.38. IKE is used to establish IPsec VPN connections.

IPsec uses strong cryptography to provide both authentication and
encryption services. These services allow you to build secure tunnels
through untrusted networks. Everything passing through the untrusted
network is encrypted by the IPsec gateway machine, and decrypted by
the gateway at the other end of the tunnel. The resulting tunnel is a
virtual private network (VPN).

Patches
=======
Due to the size of the patch, it is not included inline to this advisory,
but are available at https://libreswan.org/security/CVE-2023-38711/

