NetBSD CVE Patch Regression

Bug #1793028 reported by rdratlos on 2018-09-17
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ipsec-tools (Debian)
Fix Released
Unknown
ipsec-tools (Ubuntu)
Medium
Unassigned

Bug Description

After upgrade racoon from 1:0.8.2+20140711-5 to 1:0.8.2+20140711-10build1 Apple iPhones, which use a racoon client cannot connect to the racoon VPN on the Ubuntu server. Following log entries outline the failure:
Sep 14 06:42:28 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:28 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:32 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:32 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:39 vpnserver racoon[1775]: ERROR: phase1 negotiation failed due to time up.

A brief check of the upstream activities shows, that maintainers switched to panic mode because of CVE-2016-10396 and provided a rough patch without support of the ipsec-tools project and without the ability to perform sufficient regression tests.

As Debian as well as NetBSD maintainers already have expressed their general concerns about this patch, there really seems to be a severe issue.

Further evidences can be provided but as the topic is pretty complicated detailed guidance is required.

CVE References

rdratlos (rdratlos) wrote :

I've stored a "patched" package in Ubuntu launchpad that fixes this issue but again contains vulnerability CVE-2016-10396.

https://launchpad.net/~rdratlos/+archive/ubuntu/racoon

Andreas Hasenack (ahasenack) wrote :

Upstream bug report: http://gnats.netbsd.org/51682

Andreas Hasenack (ahasenack) wrote :

From the commit history at https://github.com/NetBSD/src/commits/trunk/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c it looks like debian (and ubuntu) has the latest changes. It's also not clear to me if SuSE reworked that patch, or also just took the latest version.

What other pointers do you have? Reports in other distributions?

Changed in ipsec-tools (Ubuntu):
status: New → Incomplete
rdratlos (rdratlos) wrote :

Quote from upstream bug report discussion:

 I agree there's something wrong with the code, although I would also
 like to have ways of reproducing this. Working on this bug right now is
 kind of a shot in the dark, and it seems numerous people here have
 worked on PoC or have real world conditions to reproduce those
 issues. It would be nice to share those so we can fix those issues
 properly.

SuSE has also taken the upstream patch including the latest changes. But exactly the changes from Jan. 2017 introduce the regression. Changes afterwards seem to be more code clean-up.

Fedora and ArchLinux seem not to apply the patch (yet).

rdratlos (rdratlos) wrote :

I would offer some support to better analyse the bug. The new log messages plus debug in racoon do not help much. Maybe dumping network traffic with wireshark could help, but traffic is encrypted.

so I need some guidance on this.

rdratlos (rdratlos) wrote :

I performed some analysis and debugging of the isakmp fragmentaion error. The root cause seems to be a logical error in upstream CVE-2016-10396 patch. When applying this patch, racoon server prevents from DoS but does not recognize a completed reassembly of a isakmp fragemnt chain. This forces racoon clients like Apple iPhones that fragment isakmp messages to retransmit fragemnts which leads to a similar behaviour than the DoS attack, that developers wanted racoon servers to be protect from. So in turn, after a couple of retransmissions racoon server terminates pahse 1 negotiation. This prevents the fragmenting client from accessing the VPN.

Attached is a patch that fixes the fragmentation bug in CVE-2016-10396 patch. The patch has been tested and it works fine with my limited set of VPN clients. Regression tests have not been performed. For your convenience I've updated the PPA (https://launchpad.net/~rdratlos/+archive/ubuntu/racoon) to allow further testing of the attached patch.

The patch has been based on debian build 10 of racoon and should be easily applicable to bionic. Please review attached patch and include it into bionic.

The attachment "0001-Fix-isakmp-fragmentation-bug-in-CVE-2016-10396-patch.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
rdratlos (rdratlos) wrote :

Upstream NetBSD has reviewed the proposed code fix and proposed a slight modification which is now committed in their repository as add-on patch.

The first draft of the patch above has been updated with the proposed changes. In addition, some limited debugging has been added to support admins in their root cause analysis, if VPN clients are blackballed due to the stricter fragment checks introduced by NetBSD's CVE patch.

Attached is the updated patch. PPA https://launchpad.net/~rdratlos/+archive/ubuntu/racoon has been updated accordingly and works fine.

Robie Basak (racb) on 2018-10-04
tags: added: server-next
Changed in ipsec-tools (Ubuntu):
status: Incomplete → Triaged
importance: Undecided → Medium
Changed in ipsec-tools (Debian):
status: Unknown → Fix Released

The security team lists that [1] CVE as fixed already.
I don't see it in [2] that is supposed to fix it thou.

I subscribed Marc and Jamie to help us sorting out if this is:
a) fixed in a different way
b) mistriaged to be fixed but actually still an issue

[1]: https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10396.html
[2]: http://launchpadlibrarian.net/334964772/ipsec-tools_1%3A0.8.2+20140711-9_1%3A0.8.2+20140711-10.diff.gz

I should have read it more carefully, 2nd pass of reading makes it better.
The CVE is obviously fixed but it introduced a regression.

Still, having Marc and Jamie subscribed is the right next step to evaluate a re-fix through the -security pocket.

tags: added: regression-update
Marc Deslauriers (mdeslaur) wrote :

It looks like we inherited the bad patch from debian, as we haven't fixed this CVE ourselves. This isn't a post-release security update regression.

Someone needs to prepare an SRU to fix this issue.

Thanks for the clarification Marc, it is on our list and tagged to be sooner, but atm I see no one with a few cycles left so it might be a few days more.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.