[SRU] NetBSD CVE Patch Regression

Bug #1793028 reported by rdratlos on 2018-09-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ipsec-tools (Ubuntu)

Bug Description


[Test Case]

[Regression Potential]



[Original Report]
After upgrade racoon from 1:0.8.2+20140711-5 to 1:0.8.2+20140711-10build1 Apple iPhones, which use a racoon client cannot connect to the racoon VPN on the Ubuntu server. Following log entries outline the failure:
Sep 14 06:42:28 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:28 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:32 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:32 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated fragment index mismatch
Sep 14 06:42:35 vpnserver racoon[1775]: ERROR: Repeated last fragment index mismatch
Sep 14 06:42:39 vpnserver racoon[1775]: ERROR: phase1 negotiation failed due to time up.

A brief check of the upstream activities shows, that maintainers switched to panic mode because of CVE-2016-10396 and provided a rough patch without support of the ipsec-tools project and without the ability to perform sufficient regression tests.

As Debian as well as NetBSD maintainers already have expressed their general concerns about this patch, there really seems to be a severe issue.

Further evidences can be provided but as the topic is pretty complicated detailed guidance is required.

CVE References

rdratlos (rdratlos) wrote :

I've stored a "patched" package in Ubuntu launchpad that fixes this issue but again contains vulnerability CVE-2016-10396.


Andreas Hasenack (ahasenack) wrote :

Upstream bug report: http://gnats.netbsd.org/51682

Andreas Hasenack (ahasenack) wrote :

From the commit history at https://github.com/NetBSD/src/commits/trunk/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c it looks like debian (and ubuntu) has the latest changes. It's also not clear to me if SuSE reworked that patch, or also just took the latest version.

What other pointers do you have? Reports in other distributions?

Changed in ipsec-tools (Ubuntu):
status: New → Incomplete
rdratlos (rdratlos) wrote :

Quote from upstream bug report discussion:

 I agree there's something wrong with the code, although I would also
 like to have ways of reproducing this. Working on this bug right now is
 kind of a shot in the dark, and it seems numerous people here have
 worked on PoC or have real world conditions to reproduce those
 issues. It would be nice to share those so we can fix those issues

SuSE has also taken the upstream patch including the latest changes. But exactly the changes from Jan. 2017 introduce the regression. Changes afterwards seem to be more code clean-up.

Fedora and ArchLinux seem not to apply the patch (yet).

rdratlos (rdratlos) wrote :

I would offer some support to better analyse the bug. The new log messages plus debug in racoon do not help much. Maybe dumping network traffic with wireshark could help, but traffic is encrypted.

so I need some guidance on this.

rdratlos (rdratlos) wrote :

I performed some analysis and debugging of the isakmp fragmentaion error. The root cause seems to be a logical error in upstream CVE-2016-10396 patch. When applying this patch, racoon server prevents from DoS but does not recognize a completed reassembly of a isakmp fragemnt chain. This forces racoon clients like Apple iPhones that fragment isakmp messages to retransmit fragemnts which leads to a similar behaviour than the DoS attack, that developers wanted racoon servers to be protect from. So in turn, after a couple of retransmissions racoon server terminates pahse 1 negotiation. This prevents the fragmenting client from accessing the VPN.

Attached is a patch that fixes the fragmentation bug in CVE-2016-10396 patch. The patch has been tested and it works fine with my limited set of VPN clients. Regression tests have not been performed. For your convenience I've updated the PPA (https://launchpad.net/~rdratlos/+archive/ubuntu/racoon) to allow further testing of the attached patch.

The patch has been based on debian build 10 of racoon and should be easily applicable to bionic. Please review attached patch and include it into bionic.

The attachment "0001-Fix-isakmp-fragmentation-bug-in-CVE-2016-10396-patch.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
rdratlos (rdratlos) wrote :

Upstream NetBSD has reviewed the proposed code fix and proposed a slight modification which is now committed in their repository as add-on patch.

The first draft of the patch above has been updated with the proposed changes. In addition, some limited debugging has been added to support admins in their root cause analysis, if VPN clients are blackballed due to the stricter fragment checks introduced by NetBSD's CVE patch.

Attached is the updated patch. PPA https://launchpad.net/~rdratlos/+archive/ubuntu/racoon has been updated accordingly and works fine.

Robie Basak (racb) on 2018-10-04
tags: added: server-next
Changed in ipsec-tools (Ubuntu):
status: Incomplete → Triaged
importance: Undecided → Medium
Changed in ipsec-tools (Debian):
status: Unknown → Fix Released

The security team lists that [1] CVE as fixed already.
I don't see it in [2] that is supposed to fix it thou.

I subscribed Marc and Jamie to help us sorting out if this is:
a) fixed in a different way
b) mistriaged to be fixed but actually still an issue

[1]: https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10396.html
[2]: http://launchpadlibrarian.net/334964772/ipsec-tools_1%3A0.8.2+20140711-9_1%3A0.8.2+20140711-10.diff.gz

I should have read it more carefully, 2nd pass of reading makes it better.
The CVE is obviously fixed but it introduced a regression.

Still, having Marc and Jamie subscribed is the right next step to evaluate a re-fix through the -security pocket.

tags: added: regression-update
Marc Deslauriers (mdeslaur) wrote :

It looks like we inherited the bad patch from debian, as we haven't fixed this CVE ourselves. This isn't a post-release security update regression.

Someone needs to prepare an SRU to fix this issue.

Thanks for the clarification Marc, it is on our list and tagged to be sooner, but atm I see no one with a few cycles left so it might be a few days more.

Mathew Hodson (mhodson) on 2019-05-18
tags: added: regression-release
removed: regression-update
affects: ipsec-tools (Debian) → debian
Changed in debian:
importance: Unknown → Undecided
status: Fix Released → New
affects: debian → ubuntu
no longer affects: ubuntu
Bryce Harrington (bryce) on 2019-06-03
summary: - NetBSD CVE Patch Regression
+ [SRU] NetBSD CVE Patch Regression
Bryce Harrington (bryce) on 2019-06-08
description: updated

 ipsec-tools | 1:0.8.2+20140711-5 | xenial/universe | source, amd64, arm64, armhf, i386, powerpc, ppc64el, s390x
 ipsec-tools | 1:0.8.2+20140711-10build1 | bionic/universe | source, amd64, arm64, armhf, i386, ppc64el, s390x

So Xenial has a security issue and Bionic has the "bad" fix.
But in general this package is only in universe since 14.04 and even removed in 19.10 for upstream stating that racoon should no more be used.

Changed in ipsec-tools (Ubuntu Bionic):
importance: Undecided → Low
Changed in ipsec-tools (Ubuntu Disco):
importance: Undecided → Low
Changed in ipsec-tools (Ubuntu Bionic):
status: New → Triaged
Changed in ipsec-tools (Ubuntu Disco):
status: New → Triaged
Changed in ipsec-tools (Ubuntu):
status: Triaged → Invalid

See http://ipsec-tools.sourceforge.net/ for the abandonment, the supported ipsec solution is strongswan and I highly recommend to look into this instead.

tags: removed: server-next
Robie Basak (racb) wrote :


The Precise is in main but not affected.

Xenial onwards, the package is in universe because Ubuntu switched to favoring strongswan due in part to the upstream deprecation of racoon. That, at the time of release of Trusty and onwards, comprised our recommendation that users switch to strongswan for IPsec support. ipsec-tools/racoon is maintained since then by community volunteers only.

If you'd like to patch Xenial for the CVE, then please see https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures and https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue for details on how to contribute that.

If you'd like to patch Bionic to fix the regression, then please see https://wiki.ubuntu.com/StableReleaseUpdates#Procedure for details on how to contribute this.

Note that in both cases someone needs to volunteer appropriate testing and consideration of others' use cases to successfully get a fix landed in Ubuntu.

Steve Langasek (vorlon) on 2020-07-02
Changed in ipsec-tools (Ubuntu Disco):
status: Triaged → Won't Fix
rdratlos (rdratlos) wrote :

ipsec-tools and racoon are still being maintained by Debian (despite of some concerns), NetBSD and Apple. NetBSD has published the fix for this bug already in 2018 and since then published further improvements for setkey command. A subset of the upstream changes and some minor Debian changes have been packaged into a new version of PPA https://launchpad.net/~rdratlos/+archive/ubuntu/racoon (see changelog there) and published for the current Ubuntu LTS releases.
The related source code is now maintained on Github (https://github.com/rdratlos/racoon-ipsec-tools/tree/develop).

Ubuntu won't fix but there is at least a solution for Bionic and Focal that works well.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers