-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Release date: Monday, March 11, 2024
Contact: security@libreswan.org
PGP key: 907E790F25C1E8E561CD73B585FF4B43B30FC6F9

==================================================================
CVE-2024-2357: Missing PreSharedKey for connection can cause crash 
==================================================================

This alert (and any updates) are available at the following URLs:
https://libreswan.org/security/CVE-2024-2357

The Libreswan Project was notified of an issue causing libreswan to restart
under some IKEv2 retransmit scenarios when a connection is configured to use
PreSharedKeys (authby=secret) and the connection cannot find a matching
configured secret. When such a connection is automatically added on startup
using the auto= keyword, it can cause repeated crashes leading to a Denial
of Service.

Severity: Medium
Vulnerable versions : libreswan 4.2 - 4.12
Not vulnerable      : libreswan 4.1,  4.13+, 5.0+

Vulnerability information
=========================
When an IKEv2 state would fail to find its own PreSharedKey (secret) to create
the AUTH payload in the IKE_AUTH Exchange, it would omit sending a packet, but
would not delete the state. When this state is referenced later, it would cause
an assertion failure and crash and restart the pluto daemon.

Exploitation
============
There is no known exploitation. A peer cannot cause this error to happen. Even
if they would change their ID so a PSK cannot found, the connection fail properly
at an earlier state. The vulnerability can only be triggered by a misconfiguration
locally.

Workaround
==========
As a workaround to prevent such a misconfiguration from causing the crash, one can
place an unguessable long random "catch all" secret in /etc/ipsec.secrets, for
example using the following command:

    echo -e "# CVE-2024-2357 workaround\n: PSK \"$(openssl rand -hex 32)\"" >> /etc/ipsec.secrets

This will ensure a PSK secret is always found, but it will always be wrong, and
thus authentication will still properly fail.

History
=======
* 08-02-2024 https://github.com/libreswan/libreswan/issues/1609 reported
* 14-02-2024 Workaround posted in the github issue
* 15-02-2024 Fix published (as issue was already public via githb issue)
* 10-03-2024 Advanced notice given to supported customers and distributions
* 11-03-2024 Public announcement and release of 4.13 and 5.0

Credits
=======
This vulnerability was found and reported by Andrew Vaughn.

Upgrading
=========
To address this vulnerability, please upgrade to libreswan 4.13 or later,
or libreswan 5.0 or later.


About libreswan (https://libreswan.org/)
========================================
Libreswan is a free implementation of the Internet Key Exchange (IKE)
protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of
openswan 2.6.38. IKE is used to establish IPsec VPN connections.

IPsec uses strong cryptography to provide both authentication and
encryption services. These services allow you to build secure tunnels
through untrusted networks. Everything passing through the untrusted
network is encrypted by the IPsec gateway machine, and decrypted by
the gateway at the other end of the tunnel. The resulting tunnel is a
virtual private network (VPN).

Patches
=======
For those who cannot upgrade, the below patch can be applied. This patch is also available at:
https://github.com/libreswan/libreswan/commit/cb9e1047d33fde695d63a95854c2bc2470a476c8.patch

diff --git a/programs/pluto/ikev2_auth.c b/programs/pluto/ikev2_auth.c
index ad5e3b5ede..fe75d6ea37 100644
- --- a/programs/pluto/ikev2_auth.c
+++ b/programs/pluto/ikev2_auth.c
@@ -862,7 +862,7 @@ stf_status submit_v2AUTH_generate_initiator_signature(struct ike_sa *ike, struct
                                                       &signed_octets);
                if (d != NULL) {
                        llog_diag(RC_LOG_SERIOUS, ike->sa.logger, &d, "%s", "");
- -                       return false;
+                       return STF_FATAL;
                }
 
                if (DBGP(DBG_CRYPT)) {

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmXuQRETHHRlYW1AbGli
cmVzd2FuLm9yZwAKCRCF/0tDsw/G+QyCD/4s6PfgDQ5U/26v563mjfI7eNn0+aY6
ES1/RjEXNvI1wBAhuET0GIcaGPS4de0EXsmCqsuVObx3954ZEMfob0XY9e7AyygM
q4ps2WjsCOI0Bo9ezDuRrutkKLnColsFnuXqPjy4ts5dlnU3LgcWC//V2G8eR0Gh
a9bfyiepk9JikzIY0+f2erF8YeXyonp0KDLorpn3pTUWDZXgYaju7lVpM0ScXyvn
/D+cwo4tQ/JD0kC8nijG2ScoDjs/eyHjgzKghZIS+9T+dInp4kjK6JEoxYocYQEo
hXyc0QQZvOyg+QTdJZVZ7rk8c+GOqWQqhU5wT/Ymd75eYpy1P2dCAlMkpMk7vajU
Yga0C1J1yxVwa5VDUFAluBu8vzhVcCRu0LBBiWx/C18MB+nmJdZceae8HTjuJgpc
IG/HDB8zoSyI32TOMpWPc3/mOhX46MBEOcjDnw6Rh5y/QWVOeX03wWR5VLDAgUAt
BZr+909Bl+v3t6eOrGPqfiR9r7eNQMZVktpifpSRrg8SoX7lPoOMHXrdCt7tsRyJ
AUqrEiqfkJr00eXC924rsTTyVq8x2jcsSrY/iEeAPW87pkQdttDrDfFsSg/qicKo
YKPszWF5tTdykr6QuiSL+tOeITJDDqB6XoiL1l5n0S8OhLY++ye4cdglcNafoj8R
7SueGxOAbOxngw==
=8zcz
-----END PGP SIGNATURE-----