CVE-2022-23094: Libreswan 4.2 through 4.5 Denial of Service Vulnerability via Crafted IKEv1 Packet

A vulnerability was discovered in Libreswan, versions 4.2 through 4.5, that allows remote attackers to cause a denial of service (DoS) by sending a specially crafted IKEv1 packet. The issue is due to a NULL pointer dereference and resulting daemon crash in the 'pluto/ikev1.c' component. Libreswan is an open-source VPN software that provides IPsec support for Linux. This vulnerability has been fixed in Libreswan version 4.6.

Code Snippet

The vulnerability lies within the 'pluto/ikev1.c' file, where a check is missing to ensure that a state object exists. The affected code snippet is as follows:

/*
 * Process the Main Mode ID Payload and the end of the Main Mode
 * exchange.
 *
 */
static stf_status
main_id_and_end(struct msg_digest *md)
{
    ...
    struct state *st = md->st;  // Vulnerable code: no check for NULL state
    ...
    // Rest of the function
}

Exploit Details

A remote attacker can craft an IKEv1 packet to trigger this vulnerability. The crafted packet can then be sent to the Libreswan daemon, causing a NULL pointer dereference and a subsequent crash on the targeted system. This results in a denial of service attack, rendering the VPN service inoperable for all connected users.

Mitigation

The vulnerability has been fixed in Libreswan version 4.6. Affected users are advised to upgrade to the latest version as soon as possible. For those who are unable to update immediately, it is recommended to disable IKEv1 support temporarily and use only IKEv2 in their VPN configurations to mitigate the risk of this vulnerability.

Original References

1. Libreswan 4.6 release notes (containing the fix): https://github.com/libreswan/libreswan/blob/main/CHANGES#L4
2. CVE-2022-23094 report: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23094
3. Libreswan source code: https://github.com/libreswan/libreswan

Conclusion

CVE-2022-23094 is a critical vulnerability affecting Libreswan 4.2 through 4.5 that allows remote attackers to cause a denial of service by sending a crafted IKEv1 packet. Users are encouraged to upgrade to Libreswan 4.6 to fix the issue. As a temporary workaround, disabling IKEv1 support and using IKEv2 can be considered. Keeping software up-to-date and following the best security practices can help protect users against various threats and vulnerabilities.

Timeline

Published on: 01/15/2022 02:15:00 UTC
Last modified on: 01/24/2022 13:27:00 UTC