Bug 31865

Summary: libreswan new security issue - CVE-2023-30570,CVE-2023-38710,CVE-2023-38711,CVE-2023-38712
Product: Mageia Reporter: Stig-Ørjan Smelror <smelror>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, herman.viaene, luigiwalser, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: libreswan-4.11-1.mga9.src.rpm CVE: CVE-2023-30570,CVE-2023-38710,CVE-2023-38711,CVE-2023-38712
Status comment:
Bug Depends on: 32211    
Bug Blocks:    

Description Stig-Ørjan Smelror 2023-05-04 07:01:53 CEST 
Upstream have released a patch to fix CVE-2023-30570

https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt

Fixed in version 4.11. Cauldron updated.
Stig-Ørjan Smelror 2023-05-04 14:36:49 CEST

Status comment: (none) => Fixed upstream in version 4.11
CVE: (none) => CVE-2023-30570

Comment 1 David Walser 2023-05-04 15:47:25 CEST 
RedHat has issued an advisory for this today (May 4):
https://access.redhat.com/errata/RHSA-2023:2120
Comment 2 David Walser 2023-05-15 16:41:38 CEST 
Fedora has issued an advisory for this on May 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/APPXJHIVUBS4I2AVIB6C36ED6XNUYVC2/

Severity: normal => critical

Comment 3 Stig-Ørjan Smelror 2023-08-29 22:27:56 CEST 
New security fixes in version 4.12

https://github.com/libreswan/libreswan/blob/26f713c76db27cfd8498c560cac5eade46165155/CHANGES#L28

* SECURITY IKEv2: Fixes https://libreswan.org/security/CVE-2023-38710
* SECURITY IKEv1: Fixes https://libreswan.org/security/CVE-2023-38711
* SECURITY IKEv1: Fixes https://libreswan.org/security/CVE-2023-38712

Summary: libreswan new security issue - CVE-2023-30570 => libreswan new security issue - CVE-2023-30570,CVE-2023-38710,CVE-2023-38711,CVE-2023-38712
CVE: CVE-2023-30570 => CVE-2023-30570,CVE-2023-38710,CVE-2023-38711,CVE-2023-38712
Status comment: Fixed upstream in version 4.11 => Fixed upstream in version 4.12

Stig-Ørjan Smelror 2023-08-29 22:28:32 CEST

Version: 8 => 9
Whiteboard: (none) => MGA8

Stig-Ørjan Smelror 2023-08-29 22:31:16 CEST

Whiteboard: MGA8 => MGA8_TOO

David Walser 2023-08-29 22:48:50 CEST

CC: (none) => luigiwalser
Whiteboard: MGA8_TOO => MGA8TOO

Comment 4 Thomas Backlund 2023-09-01 16:08:29 CEST 
updating to 4.12 in mga8 will break atleast networkmanager-l2tp
(it's already broken in mga9 with 4.11)

so bug 32211 needs to be validated before this can be pushed...

Depends on: (none) => 32211

Comment 5 Nicolas Salguero 2024-03-14 12:17:11 CET 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

pluto in Libreswan before 4.11 allows a denial of service (responder SPI mishandling and daemon crash) via unauthenticated IKEv1 Aggressive Mode packets. (CVE-2023-30570)

An issue was discovered in Libreswan before 4.12. When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart. (CVE-2023-38710)

An issue was discovered in Libreswan before 4.12. When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or ID_IPV6_ADDR receives an IDcr payload with ID_FQDN, a NULL pointer dereference causes a crash and restart of the pluto daemon. (CVE-2023-38711)

An issue was discovered in Libreswan 3.x and 4.x before 4.12. When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a NULL pointer dereference on the deleted state causes the pluto daemon to crash and restart. (CVE-2023-38712)

References:
https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt
https://access.redhat.com/errata/RHSA-2023:2120
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/APPXJHIVUBS4I2AVIB6C36ED6XNUYVC2/
https://libreswan.org/security/CVE-2023-38710
https://libreswan.org/security/CVE-2023-38711
https://libreswan.org/security/CVE-2023-38712
========================

Updated package in core/updates_testing:
========================
libreswan-4.12-1.mga9

from SRPM:
libreswan-4.12-1.mga9.src.rpm

Source RPM: (none) => libreswan-4.11-1.mga9.src.rpm
Assignee: smelror => qa-bugs
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in version 4.12 => (none)

katnatek 2024-03-14 20:07:40 CET

Keywords: (none) => advisory

Comment 6 Herman Viaene 2024-03-18 14:46:51 CET 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues
Networking on my home network works apparently OK (checked via access to NFS-shares on my desktop PC), but nevertheless something strange comes up:
$ nslookup mach1
Server:         192.168.2.1
Address:        192.168.2.1#53

Non-authoritative answer:
Name:   mach1.fritz.box
Address: 45.76.93.104
Name:   mach1.fritz.box
Address: 2001:19f0:6c00:1b0e:5400:4ff:fecd:7828
That I have never seen before, but

$ nslookup mach1.hviaene.thuis
Server:         192.168.2.1
Address:        192.168.2.1#53

Name:   mach1.hviaene.thuis
Address: 192.168.2.1
is the response I get from my own DNS-server, and normally I get the response whether it is the machine name or the FQDN.
It is the same for any other name in my DNS-setup.

CC: (none) => herman.viaene

Comment 7 katnatek 2024-03-22 04:31:59 CET 
RH mageia 9 x86_64 

Install current package

LC_ALL=C urpmi libreswan
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  lib64ldns3                     1.8.3        1.mga9        x86_64  
  libreswan                      4.11         1.mga9        x86_64  
4.8MB of additional disk space will be used.
1.3MB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64ldns3-1.8.3-1.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/libreswan-4.11-1.mga9.x86_64.rpm   
installing lib64ldns3-1.8.3-1.mga9.x86_64.rpm libreswan-4.11-1.mga9.x86_64.rpm from /var/cache/urpmi/rpms               
Preparing...                     ######################################################################################
      1/2: lib64ldns3            ######################################################################################
      2/2: libreswan             ######################################################################################

Update to testing version

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing libreswan-4.12-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ######################################################################################
      1/1: libreswan             ######################################################################################
      1/1: removing libreswan-4.11-1.mga9.x86_64
                                 ######################################################################################

Remove packages

LC_ALL=C urpme libreswan lib64ldns3
removing lib64ldns3-1.8.3-1.mga9.x86_64 libreswan-4.12-1.mga9.x86_64
removing package libreswan-4.12-1.mga9.x86_64
      1/2: removing libreswan-4.12-1.mga9.x86_64
                                 ######################################################################################
removing package lib64ldns3-1.8.3-1.mga9.x86_64
      2/2: removing lib64ldns3-1.8.3-1.mga9.x86_64
                                 ######################################################################################

Not issues
Comment 8 Herman Viaene 2024-03-23 11:32:14 CET 
Removing libreswan makes nslookup giving the normal answer from my DNS-server. So as far as I am concerned, I don't want this package on my machines.
Comment 9 Herman Viaene 2024-03-23 11:47:58 CET 
Sorry, jumping to conclusions too quick when I had changed two things at the same time.
Getting the correct response from the nslookup was triggered by explicitely declaring the  search domain in MCC - Internet - setup internet connection.
So as far as my knowledge goes, there is nothing wrong with libreswan.
katnatek 2024-03-23 18:45:27 CET

CC: (none) => andrewsfarm

Comment 10 katnatek 2024-03-23 18:46:31 CET 
Validating on base of clean install/uninstall

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK

Comment 11 Mageia Robot 2024-03-24 05:58:27 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0085.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED