Ubuntu has issued an advisory today (November 16): https://usn.ubuntu.com/usn/usn-3482-1/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to the registered ipsec-tools maintainer.
CC: (none) => marja11Assignee: bugsquad => tmb
Advisory: ======================== Updated ipsec-tools packages fix security vulnerability: It was discovered that racoon, the ipsec-tools IKE daemon, incorrectly handled certain ISAKMP fragments. A remote attacker could use this issue to cause racoon to crash, resulting in a denial of service (CVE-2016-10396). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 https://usn.ubuntu.com/usn/usn-3482-1/ ======================== Updated packages in core/updates_testing: ======================== ipsec-tools-0.8.1-5.1.mga5 libipsec0-0.8.1-5.1.mga5 libipsec-devel-0.8.1-5.1.mga5 ipsec-tools-0.8.1-7.1.mga6 libipsec0-0.8.1-7.1.mga6 libipsec-devel-0.8.1-7.1.mga6 from SRPMS: ipsec-tools-0.8.1-5.1.mga5.src.rpm ipsec-tools-0.8.1-7.1.mga6.src.rpm
Version: Cauldron => 6CC: (none) => tmbAssignee: tmb => qa-bugsWhiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Testing M5/64 No sign of a PoC in the CVE references. Only 1 previous bug, referred to below. BEFORE the update, installed; ipsec-tools-0.8.1-5.mga5 lib64ipsec0-0.8.1-5.mga5 The tools offer: - libipsec, a PFKeyV2 library - setkey, a program to directly manipulate policies and SAs setkey adds, updates, dumps, or flushes Security Association Database (SAD) entries as well as Security Policy Database (SPD) entries in the kernel. - racoon, an IKEv1 keying daemon - racoonctl, racoon administrative control tool AFTER update to: - ipsec-tools-0.8.1-5.1.mga5.x86_64 - lib64ipsec0-0.8.1-5.1.mga5.x86_64 Using as a test guidance: https://bugs.mageia.org/show_bug.cgi?id=16042#c1 but read it all! /etc/racoon ├── certs ├── psk.txt └── racoon.conf This software deals with "Security Association Database (SAD) entries as well as Security Policy Database (SPD) entries in the kernel". # setkey -DPp No SPD entries. # setkey -c spdadd [a rubbish command, I think] setkey: spdadd: No such file or directory Straced shows: open("/lib64/libipsec.so.0", O_RDONLY|O_CLOEXEC) = 3 that the library is at least used. All commands of the form: # racoonctl <param> yielded unhelpfully send: Bad file descriptor Too obscure to chase further. OKing as a clean update that at least talks back.
Keywords: (none) => advisoryWhiteboard: MGA5TOO => MGA5TOO MGA5-64-OKCC: (none) => lewyssmith
Oking on Mageia 6 as the update installs cleanly, the racoon service starts with the default config. Validating the update.
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
Trying M6/64 (see comment 3 for an introduction) BEFORE update Installed from normal repos: - ipsec-tools-0.8.1-7.mga6.x86_64 - lib64ipsec0-0.8.1-7.mga6.x86_64 # tree /etc/racoon /etc/racoon ├── certs ├── psk.txt └── racoon.conf /etc/racoon/racoon.conf: # Racoon IKE daemon configuration file. # See 'man racoon.conf' for a description of the format and entries. path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; then a couple of neat stanzas for sainfo anonymous & remote anonymous # racoon -F [has a man page, and -h command help] Foreground mode. 2018-01-01 09:44:20: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net) 2018-01-01 09:44:20: INFO: @(#)This product linked OpenSSL 1.0.2n 7 Dec 2017 (http://www.openssl.org/) 2018-01-01 09:44:20: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2018-01-01 09:44:21: ERROR: /etc/racoon/racoon.conf:25: ""my.key.pem" failed to load certificate "my.cert.pem" 2018-01-01 09:44:21: ERROR: fatal parse failure (1 errors) racoon: failed to parse configuration file. The config file has a line in 'remote anonymous': certificate_type x509 "my.cert.pem" "my.key.pem"; /etc/racoon/certs/* is empty, so this complaint is sensible. # racoon output nothing, nor did it seem to start a daemon. 'setkey' has a very good man page. # setkey -DPp No SPD entries. Sensible in a virgin state, no entries yet. Trying some commands from the man page exapmles: # setkey -c add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457 -E des-cbc 0x3ffe05014819ffff ; setkey: invalid option -- 'E' # setkey -c add -6 myhost.example.com yourhost.example.com ah 123456 -A hmac-sha1 "AH SA configuration!" setkey: invalid option -- '6' All commands of the form: # racoonctl <param> yielded unhelpfully send: Bad file descriptor -------------------------------- More to try AFTER the update to: - ipsec-tools-0.8.1-7.1.mga6.x86_64 - lib64ipsec0-0.8.1-7.1.mga6.x86_64 # racoon -F # racoon -F -C Same O/P as before. # setkey -DPp No SPD entries. [same as before: no database] More from the man page examples: # setkey -c spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require setkey: spdadd: No such file or directory # setkey -c add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" setkey: invalid option -- 'A' # setkey -c add 10.0.11.41 10.0.11.33 esp 0x10001 -ctx 1 1 "system_u:system_r:unconfined_t:SystemLow-SystemHigh" -E des-cbc 0x3ffe05014819ffff setkey: invalid option -- 't' # setkey -c dump esp setkey: dump: No such file or directory # setkey -c flush setkey: flush: No such file or directory All inconclusive, but similar after the update to before it. Stracing showed: open("/lib64/libipsec.so.0", O_RDONLY|O_CLOEXEC) = 3 On the basis of clean update, similar before-&-after behaviour, OKing & validating this update.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0010.html
Status: NEW => RESOLVEDResolution: (none) => FIXED