Bug 22043 - ipsec-tools new security issue CVE-2016-10396
Summary: ipsec-tools new security issue CVE-2016-10396
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2017-11-16 21:00 CET by David Walser
Modified: 2018-01-01 11:39 CET (History)
5 users (show)

See Also:
Source RPM: ipsec-tools-0.8.2-2.mga7.src.rpm
Status comment:


Description David Walser 2017-11-16 21:00:18 CET
Ubuntu has issued an advisory today (November 16):

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-11-16 21:00:24 CET

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-11-16 21:22:36 CET
Assigning to the registered ipsec-tools maintainer.

CC: (none) => marja11
Assignee: bugsquad => tmb

Comment 2 David Walser 2017-12-29 01:45:07 CET

Updated ipsec-tools packages fix security vulnerability:

It was discovered that racoon, the ipsec-tools IKE daemon, incorrectly
handled certain ISAKMP fragments. A remote attacker could use this issue to
cause racoon to crash, resulting in a denial of service (CVE-2016-10396).


Updated packages in core/updates_testing:

from SRPMS:

Version: Cauldron => 6
CC: (none) => tmb
Assignee: tmb => qa-bugs
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 3 Lewis Smith 2017-12-29 15:28:47 CET
Testing M5/64

No sign of a PoC in the CVE references.
Only 1 previous bug, referred to below.

BEFORE the update, installed;
The tools offer:
- libipsec, a PFKeyV2 library
- setkey, a program to directly manipulate policies and SAs
setkey adds, updates, dumps, or flushes Security Association Database (SAD) entries as well as Security Policy Database (SPD) entries in the kernel.
- racoon, an IKEv1 keying daemon
- racoonctl, racoon administrative control tool

AFTER update to:
- ipsec-tools-0.8.1-5.1.mga5.x86_64
- lib64ipsec0-0.8.1-5.1.mga5.x86_64

Using as a test guidance: https://bugs.mageia.org/show_bug.cgi?id=16042#c1
but read it all!

├── certs
├── psk.txt
└── racoon.conf

This software deals with "Security Association Database (SAD) entries as well as Security Policy Database (SPD) entries in the kernel".
 # setkey -DPp
No SPD entries.

 # setkey -c spdadd     [a rubbish command, I think]
setkey: spdadd: No such file or directory
Straced shows:
 open("/lib64/libipsec.so.0", O_RDONLY|O_CLOEXEC) = 3
that the library is at least used. 

All commands of the form:
 #  racoonctl <param>
yielded unhelpfully
 send: Bad file descriptor

Too obscure to chase further. OKing as a clean update that at least talks back.

Keywords: (none) => advisory
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
CC: (none) => lewyssmith

Comment 4 Dave Hodgins 2018-01-01 09:48:52 CET
Oking on Mageia 6 as the update installs cleanly, the racoon service starts
with the default config.

Validating the update.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Lewis Smith 2018-01-01 10:59:57 CET
Trying M6/64  (see comment 3 for an introduction)

BEFORE update
Installed from normal repos:
- ipsec-tools-0.8.1-7.mga6.x86_64
- lib64ipsec0-0.8.1-7.mga6.x86_64

 # tree /etc/racoon
├── certs
├── psk.txt
└── racoon.conf

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
 then a couple of neat stanzas for
sainfo anonymous
remote anonymous

 # racoon -F          [has a man page, and -h command help]
Foreground mode.
2018-01-01 09:44:20: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
2018-01-01 09:44:20: INFO: @(#)This product linked OpenSSL 1.0.2n  7 Dec 2017 (http://www.openssl.org/)
2018-01-01 09:44:20: INFO: Reading configuration from "/etc/racoon/racoon.conf"
2018-01-01 09:44:21: ERROR: /etc/racoon/racoon.conf:25: ""my.key.pem" failed to load certificate "my.cert.pem"

2018-01-01 09:44:21: ERROR: fatal parse failure (1 errors)
racoon: failed to parse configuration file.

The config file has a line in 'remote anonymous':
        certificate_type x509 "my.cert.pem" "my.key.pem";
/etc/racoon/certs/* is empty, so this complaint is sensible.

 # racoon
output nothing, nor did it seem to start a daemon.

'setkey' has a very good man page.
 # setkey -DPp
 No SPD entries.
Sensible in a virgin state, no entries yet.

Trying some commands from the man page exapmles:
 # setkey -c add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 -E des-cbc 0x3ffe05014819ffff ;
setkey: invalid option -- 'E'
 # setkey -c add -6 myhost.example.com yourhost.example.com ah 123456 -A hmac-sha1 "AH SA configuration!"
setkey: invalid option -- '6'

All commands of the form:
 #  racoonctl <param>
yielded unhelpfully
 send: Bad file descriptor
More to try AFTER the update to:
- ipsec-tools-0.8.1-7.1.mga6.x86_64
- lib64ipsec0-0.8.1-7.1.mga6.x86_64

 # racoon -F
 # racoon -F -C
Same O/P as before.

 # setkey -DPp
No SPD entries.        [same as before: no database]

More from the man page examples:
 # setkey -c spdadd[21][any] any -P out ipsec esp/tunnel/
setkey: spdadd: No such file or directory
 # setkey -c add tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret"
setkey: invalid option -- 'A'
 # setkey -c add esp 0x10001 -ctx 1 1 "system_u:system_r:unconfined_t:SystemLow-SystemHigh" -E des-cbc 0x3ffe05014819ffff
setkey: invalid option -- 't'
 # setkey -c dump esp
setkey: dump: No such file or directory
 # setkey -c flush
setkey: flush: No such file or directory

All inconclusive, but similar after the update to before it. Stracing showed:
 open("/lib64/libipsec.so.0", O_RDONLY|O_CLOEXEC) = 3

On the basis of clean update, similar before-&-after behaviour, OKing & validating this update.
Comment 6 Mageia Robot 2018-01-01 11:39:51 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.