CVE-2019-12312 – libreswan: null-pointer dereference by sending two IKEv2 packets
https://notcve.org/view.php?id=CVE-2019-12312
In Libreswan 3.27 an assertion failure can lead to a pluto IKE daemon restart. An attacker can trigger a NULL pointer dereference by initiating an IKEv2 IKE_SA_INIT exchange, followed by a bogus INFORMATIONAL exchange instead of the normallly expected IKE_AUTH exchange. This affects send_v2N_spi_response_from_state() in programs/pluto/ikev2_send.c that will then trigger a NULL pointer dereference leading to a restart of libreswan. En Libreswan versión anterior a 3.28, un fallo de aserción puede llevar a un reinicio del componente pluto IKE daemon. Un atacante puede iniciar una desreferencia de puntero NULL enviando dos paquetes IKEv2 (init_IKE y delete_IKE) en modo 3des_cbc a un servidor Libreswan. • http://www.iwantacve.cn/index.php/archives/218 https://github.com/libreswan/libreswan/compare/9b1394e...3897683 https://github.com/libreswan/libreswan/issues/246 https://libreswan.org/security/CVE-2019-12312/CVE-2019-12312.txt https://libreswan.org/security/CVE-2019-12312/libreswan-3.27-CVE-2019-12312.patch https://access.redhat.com/security/cve/CVE-2019-12312 https://bugzilla.redhat.com/show_bug.cgi?id=1716918 • CWE-476: NULL Pointer Dereference CWE-617: Reachable Assertion •
CVE-2016-5391
https://notcve.org/view.php?id=CVE-2016-5391
libreswan before 3.18 allows remote attackers to cause a denial of service (NULL pointer dereference and pluto daemon restart). Libreswan anterior a la 3.18 permite a un atacante remoto provocar una denegación de servicio (desreferencia a un puntero NULL y reinicio del daemon pluto). • https://bugzilla.redhat.com/show_bug.cgi?id=1356183 https://libreswan.org/security/CVE-2016-5391/CVE-2016-5391.txt https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65R6OA5AY7K2UBQUDOLOS5Y3SCULQI6I https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKMS7R4TG6LTAGEBOWVUXF6LAWQXLNXV • CWE-476: NULL Pointer Dereference •
CVE-2016-5361 – IKEv1 protocol is vulnerable to DoS amplification attack
https://notcve.org/view.php?id=CVE-2016-5361
programs/pluto/ikev1.c in libreswan before 3.17 retransmits in initial-responder states, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed UDP packet. NOTE: the original behavior complies with the IKEv1 protocol, but has a required security update from the libreswan vendor; as of 2016-06-10, it is expected that several other IKEv1 implementations will have vendor-required security updates, with separate CVE IDs assigned to each. programs/pluto/ikev1.c en libreswan en versiones anteriores a 3.17 retransmite en estados inicial-respuesta, lo que permite a atacantes remotos provocar una denegación de servicio (amplificación de tráfico) a través de un paquete UDP suplantado. NOTA: el comportamiento original cumple con el protocolo IKEv1, pero tiene una actualización de seguridad requerida por el vendedor de libreswan; a partir de 2016-06-10, se espera que otras varias implementaciones IKEv1 tengan actualizaciones de seguridad requeridas por el vendedor, con separadas CVEs IDs asignadas a cada una. A traffic amplification flaw was found in the Internet Key Exchange version 1 (IKEv1) protocol. A remote attacker could use a libreswan server with IKEv1 enabled in a network traffic amplification denial of service attack against other hosts on the network by sending UDP packets with a spoofed source address to that server. • http://rhn.redhat.com/errata/RHSA-2016-2603.html http://www.openwall.com/lists/oss-security/2016/06/10/4 https://github.com/libreswan/libreswan/commit/152d6d95632d8b9477c170f1de99bcd86d7fb1d6 https://lists.libreswan.org/pipermail/swan-dev/2016-March/001394.html https://access.redhat.com/security/cve/CVE-2016-5361 https://bugzilla.redhat.com/show_bug.cgi?id=1308508 • CWE-20: Improper Input Validation •
CVE-2016-3071
https://notcve.org/view.php?id=CVE-2016-3071
Libreswan 3.16 might allow remote attackers to cause a denial of service (daemon restart) via an IKEv2 aes_xcbc transform. Libreswan 3.16 podría permitir a atacantes remotos provocar una denegación de servicio (reinicio del demonio) a través de una tranformación de IKEv2 aes_xcbc. • http://download.libreswan.org/CHANGES http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182050.html http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182130.html http://www.securityfocus.com/bid/87295 https://libreswan.org/security/CVE-2016-3071/CVE-2016-3071.txt • CWE-20: Improper Input Validation CWE-310: Cryptographic Issues •
CVE-2015-3240 – openswan: denial of service via IKE daemon restart when receiving a bad DH gx value
https://notcve.org/view.php?id=CVE-2015-3240
The pluto IKE daemon in libreswan before 3.15 and Openswan before 2.6.45, when built with NSS, allows remote attackers to cause a denial of service (assertion failure and daemon restart) via a zero DH g^x value in a KE payload in a IKE packet. El demonio pluto IKE en libreswan en versiones anteriores a 3.15 y Openswan en versiones anteriores a 2.6.45, cuando ha sido construido con NSS, permite a atacantes remotos causar una denegación de servicio (fallo de aserción y reinicio de demonio) a través de un valor zero DH g^x en un payload KE en un paquete IKE. A flaw was discovered in the way Libreswan's IKE daemon processed IKE KE payloads. A remote attacker could send specially crafted IKE payload with a KE payload of g^x=0 that, when processed, would lead to a denial of service (daemon crash). • http://rhn.redhat.com/errata/RHSA-2015-1979.html http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html http://www.securityfocus.com/bid/77536 http://www.securitytracker.com/id/1033418 https://libreswan.org/security/CVE-2015-3240/CVE-2015-3240.txt https://lists.openswan.org/pipermail/users/2015-August/023401.html https://security.gentoo.org/glsa/201603-13 https://access.redhat.com/security/cve/CVE-2015-3240 https://bugzilla.redhat.com/show_bug.cgi?id= • CWE-189: Numeric Errors CWE-617: Reachable Assertion •