NULL pointer dereference in libreswan

#VU27711 NULL pointer dereference in libreswan

Published: 2020-05-12

Vulnerability identifier: #VU27711

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12312

CWE-ID: CWE-476

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libreswan
Universal components / Libraries / Libraries used by multiple products

Vendor: libreswan.org

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference issue within the send_v2N_spi_response_from_state() function in programs/pluto/ikev2_send.c. A remote attacker can cause an assertion failure by initiating an IKEv2 IKE_SA_INIT exchange, followed by a bogus INFORMATIONAL exchange instead of the expected IKE_AUTH exchange and cause the pluto IKE daemon to restart.

Mitigation
Install update from vendor's website.

Vulnerable software versions

libreswan: 3.27

External links
http://www.iwantacve.cn/index.php/archives/218/
http://github.com/libreswan/libreswan/compare/9b1394e...3897683
http://github.com/libreswan/libreswan/issues/246
http://libreswan.org/security/CVE-2019-12312/CVE-2019-12312.txt
http://libreswan.org/security/CVE-2019-12312/libreswan-3.27-CVE-2019-12312.patch

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

NULL pointer dereference in libreswan (Alpine package)

Denial of service in libreswan