Vulnerabilities > CVE-2020-1763 - Out-of-bounds Read vulnerability in Libreswan

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
libreswan
CWE-125
nessus

Summary

An out-of-bounds buffer read flaw was found in the pluto daemon of libreswan from versions 3.27 till 3.31 where, an unauthenticated attacker could use this flaw to crash libreswan by sending specially-crafted IKEv1 Informational Exchange packets. The daemon respawns after the crash.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-2070.NASL
    descriptionFrom Red Hat Security Advisory 2020:2070 : The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2070 advisory. - libreswan: DoS attack via malicious IKEv1 informational exchange message (CVE-2020-1763) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-05-14
    plugin id136601
    published2020-05-14
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136601
    titleOracle Linux 8 : libreswan (ELSA-2020-2070)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-2070.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2070 advisory. - libreswan: DoS attack via malicious IKEv1 informational exchange message (CVE-2020-1763) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-05-18
    modified2020-05-12
    plugin id136497
    published2020-05-12
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136497
    titleRHEL 8 : libreswan (RHSA-2020:2070)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4684.NASL
    descriptionStephan Zeisberg discovered that the libreswan IPsec implementation could be forced into a crash/restart via a malformed IKEv1 Informational Exchange packet, resulting in denial of service.
    last seen2020-05-19
    modified2020-05-14
    plugin id136590
    published2020-05-14
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136590
    titleDebian DSA-4684-1 : libreswan - security update
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-2071.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2071 advisory. - libreswan: DoS attack via malicious IKEv1 informational exchange message (CVE-2020-1763) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-05-18
    modified2020-05-12
    plugin id136499
    published2020-05-12
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136499
    titleRHEL 8 : libreswan (RHSA-2020:2071)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-2069.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2069 advisory. - libreswan: DoS attack via malicious IKEv1 informational exchange message (CVE-2020-1763) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-05-18
    modified2020-05-12
    plugin id136500
    published2020-05-12
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136500
    titleRHEL 8 : libreswan (RHSA-2020:2069)

Redhat

advisories
bugzilla
id1814541
titleCVE-2020-1763 libreswan: DoS attack via malicious IKEv1 informational exchange message
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 8 is installed
      ovaloval:com.redhat.rhba:tst:20193384074
    • OR
      • AND
        • commentlibreswan-debugsource is earlier than 0:3.29-7.el8_2
          ovaloval:com.redhat.rhsa:tst:20202070001
        • commentlibreswan-debugsource is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20193391002
      • AND
        • commentlibreswan is earlier than 0:3.29-7.el8_2
          ovaloval:com.redhat.rhsa:tst:20202070003
        • commentlibreswan is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20151154002
rhsa
idRHSA-2020:2070
released2020-05-12
severityImportant
titleRHSA-2020:2070: libreswan security update (Important)
rpms
  • libreswan-0:3.27-10.el8_0
  • libreswan-debuginfo-0:3.27-10.el8_0
  • libreswan-debugsource-0:3.27-10.el8_0
  • libreswan-0:3.29-7.el8_2
  • libreswan-debuginfo-0:3.29-7.el8_2
  • libreswan-debugsource-0:3.29-7.el8_2
  • libreswan-0:3.29-7.el8_1
  • libreswan-debuginfo-0:3.29-7.el8_1
  • libreswan-debugsource-0:3.29-7.el8_1