Bug 16042

Summary: ipsec-tools new security issue CVE-2015-4047
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tarazed25
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/645928/
Whiteboard: has_procedure advisory mga4-64-ok mga4-32-ok
Source RPM: ipsec-tools-0.8.1-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-05-26 21:08:52 CEST 
Debian has issued an advisory on May 23:
https://www.debian.org/security/2015/dsa-3272

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated ipsec-tools packages fix security vulnerability:

Javantea discovered a NULL pointer dereference flaw in racoon, the Internet Key
Exchange daemon of ipsec-tools. A remote attacker can use this flaw to cause
the IKE daemon to crash via specially crafted UDP packets, resulting in a
denial of service (CVE-2015-4047).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4047
https://www.debian.org/security/2015/dsa-3272
========================

Updated packages in core/updates_testing:
========================
ipsec-tools-0.8.1-2.1.mga4
libipsec0-0.8.1-2.1.mga4
libipsec-devel-0.8.1-2.1.mga4

from ipsec-tools-0.8.1-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Len Lawrence 2015-06-04 23:35:11 CEST 
Installed old versions for x86_64.
Enabled core updates testing and installed 

ipsec-tools-0.8.1-2.1.mga4
libipsec0-0.8.1-2.1.mga4
libipsec-devel-0.8.1-2.1.mga4

ipsec-tools supplies setkey, racoon and racoonctl, which need to be run as root I think.  Config files appear in /etc/racoon
setkey
    Tool to manipulate and dump the kernel Security Policy Database (SPD) and Security Association Database (SAD).
racoon
    Internet Key Exchange (IKE) daemon for automatically keying IPsec connections.
racoonctl
    A shell-based control tool for racoon

[root@belexeuli racoon]# ls
certs/  psk.txt  racoon.conf
[root@belexeuli racoon]# cat psk.txt
# file for pre-shared keys used for IKE authentication
# format is:  'identifier' 'key'
# For example:
#
#  10.1.1.1		flibbertigibbet
#  www.example.com      12345
#  foo@www.example.com  micropachycephalosaurus
[root@belexeuli racoon]# ps aux | grep racoon

[root@belexeuli racoon]# racoonctl -V
racoonctl: invalid option -- 'V'
Usage:
  racoonctl [opts] reload-config
  racoonctl [opts] show-schedule
  racoonctl [opts] show-sa [protocol]
  racoonctl [opts] flush-sa [protocol]
  racoonctl [opts] delete-sa <saopts>
  racoonctl [opts] establish-sa [-u identity] [-n remoteconf] [-w] <saopts>
  racoonctl [opts] vpn-connect [-u identity] vpn_gateway
  racoonctl [opts] vpn-disconnect vpn_gateway
  racoonctl [opts] show-event
  racoonctl [opts] logout-user login

General options:
  -d		Debug: hexdump admin messages before sending
  -l		Increase output verbosity (mainly for show-sa)
  -s <socket>	Specify adminport socket to use (default: /var/lib/racoon/racoon.sock)

Parameter specifications:
    <protocol>: "isakmp", "esp" or "ah".
        In the case of "show-sa" or "flush-sa", you can use "ipsec".

    <saopts>: "isakmp" <family> <src> <dst>
            : {"esp","ah"} <family> <src/prefixlen/port> <dst/prefixlen/port>
                              <ul_proto>
    <family>: "inet" or "inet6"
    <ul_proto>: "icmp", "tcp", "udp", "gre" or "any"

So it installs and the tools respond with usage information.  Not sure how to use them though.  Need to play around and hope nothing breaks.

CC: (none) => tarazed25

Comment 2 claire robinson 2015-06-05 16:14:47 CEST 
Well done Len. Adding the OK for you :)

Whiteboard: (none) => has_procedure mga4-64-ok

Comment 3 Len Lawrence 2015-06-05 16:18:55 CEST 
Thanks Claire; I was not sure if that was sufficient.  Will run it through i586 on a VM.
Comment 4 Len Lawrence 2015-06-05 18:35:51 CEST 
Installed the pre-testing rpms, checked the environment then ran the update.  All looks OK on the face of it but no real idea how to manipulate the tools.  This stuff is way oot a ma ken.  If you were happy with the 64bit update then I guess this is OK too.  Marking it as such.

Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok mga4-32-ok

Comment 5 Len Lawrence 2015-06-05 18:36:29 CEST 
Oh, that was in virtualbox.
Comment 6 claire robinson 2015-06-05 19:31:34 CEST 
That's fine Len, well done.
Comment 7 claire robinson 2015-06-05 19:42:17 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-64-ok mga4-32-ok => has_procedure advisory mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-06-08 23:18:46 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0243.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED