CVE-2019-12312

libreswan: null-pointer dereference by sending two IKEv2 packets

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Libreswan 3.27 an assertion failure can lead to a pluto IKE daemon restart. An attacker can trigger a NULL pointer dereference by initiating an IKEv2 IKE_SA_INIT exchange, followed by a bogus INFORMATIONAL exchange instead of the normallly expected IKE_AUTH exchange. This affects send_v2N_spi_response_from_state() in programs/pluto/ikev2_send.c that will then trigger a NULL pointer dereference leading to a restart of libreswan.

En Libreswan versión anterior a 3.28, un fallo de aserción puede llevar a un reinicio del componente pluto IKE daemon. Un atacante puede iniciar una desreferencia de puntero NULL enviando dos paquetes IKEv2 (init_IKE y delete_IKE) en modo 3des_cbc a un servidor Libreswan. Esto afecta a send_v2N_spi_response_from_state en pprograms/pluto/ikev2_send.c cuando se crea con Network Security Services (NSS).

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-05-24 CVE Reserved
2019-05-24 CVE Published
2024-05-17 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-476: NULL Pointer Dereference
CWE-617: Reachable Assertion

CAPEC

References (7)

URL	Tag	Source
https://github.com/libreswan/libreswan/issues/246	Third Party Advisory
https://libreswan.org/security/CVE-2019-12312/CVE-2019-12312.txt	X_refsource_confirm
https://libreswan.org/security/CVE-2019-12312/libreswan-3.27-CVE-2019-12312.patch	X_refsource_confirm

URL	Date	SRC
http://www.iwantacve.cn/index.php/archives/218	2024-08-04

URL	Date	SRC
https://github.com/libreswan/libreswan/compare/9b1394e...3897683	2020-08-24

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2019-12312	2019-11-05
https://bugzilla.redhat.com/show_bug.cgi?id=1716918	2019-11-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Libreswan Search vendor "Libreswan"		Libreswan Search vendor "Libreswan" for product "Libreswan"				< 3.28 Search vendor "Libreswan" for product "Libreswan" and version " < 3.28"		-		Affected