Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libres...@packages.debian.org, d...@fifthhorseman.net
Control: affects -1 + src:libreswan

[ Reason ]

Uploading libreswan 4.3-1+deb11u4 should address #1035542 (aka
CVE-2023-30570), which addresses a potential DoS against libreswan
instances that use a certain IKEv1 configuration.

Discussion with Salvatore Bonaccorso over in #1035542 concluded that
using point releases for this should be sufficient.

[ Impact ]

Users on bullseye with a specific libreswan configuration (IKEv1 in
aggressive mode) risk a DDoS on their libreswan IKE daemon if a
malicious attacker on the network emits a certain stream of packets.

[ Tests ]

Sadly, most libreswan test suites involve running virtual machines,
interacting with the linux kernel over open network policies, and this
isn't possible on debian testing architecture.

[ Risks ]

The risks of including these patches are minimal.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

The changes deal solely with how the pluto IKE daemon handles error
cases on incoming IKEv1 packets in aggressive mode.

[ Other info ]

All of the above information has been agregated and adapted from
https://libreswan.org/security/CVE-2023-30570/ Upstream released
version 4.11, which is just 4.10 with comparable patches applied.
4.11 is in unstable now.

I'll be uploading an update to 4.10 for a bookworm point release
shortly as well.
diff -Nru libreswan-4.3/debian/changelog libreswan-4.3/debian/changelog
--- libreswan-4.3/debian/changelog      2023-03-03 08:34:50.000000000 -0500
+++ libreswan-4.3/debian/changelog      2023-06-01 16:14:59.000000000 -0400
@@ -1,3 +1,9 @@
+libreswan (4.3-1+deb11u4) bullseye; urgency=medium
+
+  * Resolve CVE-2023-30570 (Closes: #1035542)
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net>  Thu, 01 Jun 2023 16:14:59 
-0400
+
 libreswan (4.3-1+deb11u3) bullseye-security; urgency=high
 
   * use upstream patch for 4.2 and 4.3
diff -Nru libreswan-4.3/debian/patches/0005-Resolve-CVE-2023-30570.patch 
libreswan-4.3/debian/patches/0005-Resolve-CVE-2023-30570.patch
--- libreswan-4.3/debian/patches/0005-Resolve-CVE-2023-30570.patch      
1969-12-31 19:00:00.000000000 -0500
+++ libreswan-4.3/debian/patches/0005-Resolve-CVE-2023-30570.patch      
2023-06-01 16:14:59.000000000 -0400
@@ -0,0 +1,140 @@
+From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
+Date: Thu, 1 Jun 2023 16:12:50 -0400
+Subject: Resolve CVE-2023-30570
+
+see https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt
+
+This patch was ported from
+https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570-libreswan-4.x.patch
+---
+ programs/pluto/ikev1.c      | 60 ++++++++++++++++++++++++++++++++++++++++++---
+ programs/pluto/ikev1_aggr.c |  5 ++--
+ 2 files changed, 60 insertions(+), 5 deletions(-)
+
+diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
+index 2a06c2c..bb6c7be 100644
+--- a/programs/pluto/ikev1.c
++++ b/programs/pluto/ikev1.c
+@@ -1249,10 +1249,20 @@ void process_v1_packet(struct msg_digest *md)
+       struct state *st = NULL;
+       enum state_kind from_state = STATE_UNDEFINED;   /* state we started in 
*/
+ 
++      /*
++       * For the initial responses, don't leak the responder's SPI.
++       * Hence the use of send_v1_notification_from_md().
++       *
++       * AGGR mode is a mess in that the R0->R1 transition happens
++       * well before the transition succeeds.
++       */
+ #define SEND_NOTIFICATION(t)                                          \
+       {                                                               \
+               pstats(ikev1_sent_notifies_e, t);                       \
+-              if (st != NULL)                                         \
++              if (st != NULL &&                                       \
++                  st->st_state->kind != STATE_AGGR_R0 &&              \
++                  st->st_state->kind != STATE_AGGR_R1 &&              \
++                  st->st_state->kind != STATE_MAIN_R0)                \
+                       send_notification_from_state(st, from_state, t); \
+               else                                                    \
+                       send_notification_from_md(md, t);               \
+@@ -1322,17 +1332,26 @@ void process_v1_packet(struct msg_digest *md)
+                       from_state = (md->hdr.isa_xchg == ISAKMP_XCHG_IDPROT ?
+                                     STATE_MAIN_R0 : STATE_AGGR_R0);
+               } else {
+-                      /* not an initial message */
++                      /*
++                       * Possibly not an initial message.  Possibly
++                       * from initiator.  Possibly from responder.
++                       *
++                       * Possibly.  Which is probably hopeless.
++                       */
+ 
+                       st = find_state_ikev1(&md->hdr.isa_ike_spis,
+                                             md->hdr.isa_msgid);
+ 
+                       if (st == NULL) {
+                               /*
+-                               * perhaps this is a first message
++                               * Perhaps this is a first message
+                                * from the responder and contains a
+                                * responder cookie that we've not yet
+                                * seen.
++                               *
++                               * Perhaps this is a random message
++                               * with a bogus non-zero responder IKE
++                               * SPI.
+                                */
+                               st = 
find_state_ikev1_init(&md->hdr.isa_ike_initiator_spi,
+                                                          md->hdr.isa_msgid);
+@@ -1343,6 +1362,21 @@ void process_v1_packet(struct msg_digest *md)
+                                       /* XXX Could send notification back */
+                                       return;
+                               }
++                              if (st->st_state->kind == STATE_AGGR_R0) {
++                                      /*
++                                       * The only way for this to
++                                       * happen is for the attacker
++                                       * to guess the responder's
++                                       * IKE SPI that hasn't been
++                                       * sent over the wire?
++                                       *
++                                       * Well that or played 1/2^32
++                                       * odds.
++                                       */
++                                      log_pexpect(HERE,
++                                                   "phase 1 message matching 
AGGR_R0 state");
++                                      return;
++                              }
+                       }
+                       from_state = st->st_state->kind;
+               }
+@@ -3027,6 +3061,26 @@ void complete_v1_state_transition(struct state *st, 
struct msg_digest *md, stf_s
+                       delete_state(st);
+                       /* wipe out dangling pointer to st */
+                       md->st = NULL;
++              } else if  (st->st_state->kind == STATE_AGGR_R0 ||
++                          st->st_state->kind == STATE_AGGR_R1 ||
++                          st->st_state->kind == STATE_MAIN_R0) {
++                      /*
++                       *
++                       * Wipe out the incomplete larval state.
++                       *
++                       * ARGH! In <=v4.10, the aggr code flipped the
++                       * larval state to R1 right at the start of
++                       * the transition and not the end, so using
++                       * state to figure things out is close to
++                       * useless.
++                       *
++                       * Deleting the state means that pluto has no
++                       * way to detect and ignore amplification
++                       * attacks.
++                       */
++                      delete_state(st);
++                      /* wipe out dangling pointer to st */
++                      md->st = NULL;
+               }
+               break;
+       }
+diff --git a/programs/pluto/ikev1_aggr.c b/programs/pluto/ikev1_aggr.c
+index 98f6ba8..d4cb115 100644
+--- a/programs/pluto/ikev1_aggr.c
++++ b/programs/pluto/ikev1_aggr.c
+@@ -161,7 +161,7 @@ stf_status aggr_inI1_outR1(struct state *unused_st UNUSED,
+       struct ike_sa *ike = new_v1_rstate(c, md);
+       struct state *st = &ike->sa;
+       md->st = st;  /* (caller will reset cur_state) */
+-      change_state(st, STATE_AGGR_R1);
++      change_state(st, STATE_AGGR_R0);
+ 
+       /* warn for especially dangerous Aggressive Mode and PSK */
+       if (LIN(POLICY_PSK, c->policy) && LIN(POLICY_AGGRESSIVE, c->policy)) {
+@@ -178,7 +178,8 @@ stf_status aggr_inI1_outR1(struct state *unused_st UNUSED,
+ 
+       if (!v1_decode_certs(md)) {
+               log_state(RC_LOG, st, "X509: CERT payload bogus or revoked");
+-              return false;
++                /* XXX notification is in order! */
++              return STF_FAIL + INVALID_ID_INFORMATION;
+       }
+ 
+       /*
diff -Nru libreswan-4.3/debian/patches/series 
libreswan-4.3/debian/patches/series
--- libreswan-4.3/debian/patches/series 2023-03-03 08:30:19.000000000 -0500
+++ libreswan-4.3/debian/patches/series 2023-06-01 16:13:36.000000000 -0400
@@ -2,3 +2,4 @@
 0002-debian-pam.d-pluto.patch
 CVE-2022-23094.patch
 CVE-2023-23009-libreswan-4.2-4.3.patch
+0005-Resolve-CVE-2023-30570.patch

Reply via email to