[SRU] NetBSD CVE Patch Regression

I've stored a "patched" package in Ubuntu launchpad that fixes this issue but again contains vulnerability CVE-2016-10396.

https://launchpad.net/~rdratlos/+archive/ubuntu/racoon

Upstream bug report: http://gnats.netbsd.org/51682

From the commit history at https://github.com/NetBSD/src/commits/trunk/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c it looks like debian (and ubuntu) has the latest changes. It's also not clear to me if SuSE reworked that patch, or also just took the latest version.

What other pointers do you have? Reports in other distributions?

Quote from upstream bug report discussion:

 I agree there's something wrong with the code, although I would also
 like to have ways of reproducing this. Working on this bug right now is
 kind of a shot in the dark, and it seems numerous people here have
 worked on PoC or have real world conditions to reproduce those
 issues. It would be nice to share those so we can fix those issues
 properly.

SuSE has also taken the upstream patch including the latest changes. But exactly the changes from Jan. 2017 introduce the regression. Changes afterwards seem to be more code clean-up.

Fedora and ArchLinux seem not to apply the patch (yet).

I would offer some support to better analyse the bug. The new log messages plus debug in racoon do not help much. Maybe dumping network traffic with wireshark could help, but traffic is encrypted.

so I need some guidance on this.

I performed some analysis and debugging of the isakmp fragmentaion error. The root cause seems to be a logical error in upstream CVE-2016-10396 patch. When applying this patch, racoon server prevents from DoS but does not recognize a completed reassembly of a isakmp fragemnt chain. This forces racoon clients like Apple iPhones that fragment isakmp messages to retransmit fragemnts which leads to a similar behaviour than the DoS attack, that developers wanted racoon servers to be protect from. So in turn, after a couple of retransmissions racoon server terminates pahse 1 negotiation. This prevents the fragmenting client from accessing the VPN.

Attached is a patch that fixes the fragmentation bug in CVE-2016-10396 patch. The patch has been tested and it works fine with my limited set of VPN clients. Regression tests have not been performed. For your convenience I've updated the PPA (https://launchpad.net/~rdratlos/+archive/ubuntu/racoon) to allow further testing of the attached patch.

The patch has been based on debian build 10 of racoon and should be easily applicable to bionic. Please review attached patch and include it into bionic.

The attachment "0001-Fix-isakmp-fragmentation-bug-in-CVE-2016-10396-patch.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Upstream NetBSD has reviewed the proposed code fix and proposed a slight modification which is now committed in their repository as add-on patch.

The first draft of the patch above has been updated with the proposed changes. In addition, some limited debugging has been added to support admins in their root cause analysis, if VPN clients are blackballed due to the stricter fragment checks introduced by NetBSD's CVE patch.

Attached is the updated patch. PPA https://launchpad.net/~rdratlos/+archive/ubuntu/racoon has been updated accordingly and works fine.

Upstream bug report: http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=53646

The security team lists that [1] CVE as fixed already.
I don't see it in [2] that is supposed to fix it thou.

I subscribed Marc and Jamie to help us sorting out if this is:
a) fixed in a different way
b) mistriaged to be fixed but actually still an issue

[1]: https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10396.html
[2]: http://launchpadlibrarian.net/334964772/ipsec-tools_1%3A0.8.2+20140711-9_1%3A0.8.2+20140711-10.diff.gz

I should have read it more carefully, 2nd pass of reading makes it better.
The CVE is obviously fixed but it introduced a regression.

Still, having Marc and Jamie subscribed is the right next step to evaluate a re-fix through the -security pocket.

It looks like we inherited the bad patch from debian, as we haven't fixed this CVE ourselves. This isn't a post-release security update regression.

Someone needs to prepare an SRU to fix this issue.

Thanks for the clarification Marc, it is on our list and tagged to be sooner, but atm I see no one with a few cycles left so it might be a few days more.

 ipsec-tools | 1:0.8.2+20140711-5 | xenial/universe | source, amd64, arm64, armhf, i386, powerpc, ppc64el, s390x
 ipsec-tools | 1:0.8.2+20140711-10build1 | bionic/universe | source, amd64, arm64, armhf, i386, ppc64el, s390x

So Xenial has a security issue and Bionic has the "bad" fix.
But in general this package is only in universe since 14.04 and even removed in 19.10 for upstream stating that racoon should no more be used.

See http://ipsec-tools.sourceforge.net/ for the abandonment, the supported ipsec solution is strongswan and I highly recommend to look into this instead.

Summary:

The Precise is in main but not affected.

Xenial onwards, the package is in universe because Ubuntu switched to favoring strongswan due in part to the upstream deprecation of racoon. That, at the time of release of Trusty and onwards, comprised our recommendation that users switch to strongswan for IPsec support. ipsec-tools/racoon is maintained since then by community volunteers only.

If you'd like to patch Xenial for the CVE, then please see https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures and https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue for details on how to contribute that.

If you'd like to patch Bionic to fix the regression, then please see https://wiki.ubuntu.com/StableReleaseUpdates#Procedure for details on how to contribute this.

Note that in both cases someone needs to volunteer appropriate testing and consideration of others' use cases to successfully get a fix landed in Ubuntu.

ipsec-tools and racoon are still being maintained by Debian (despite of some concerns), NetBSD and Apple. NetBSD has published the fix for this bug already in 2018 and since then published further improvements for setkey command. A subset of the upstream changes and some minor Debian changes have been packaged into a new version of PPA https://launchpad.net/~rdratlos/+archive/ubuntu/racoon (see changelog there) and published for the current Ubuntu LTS releases.
The related source code is now maintained on Github (https://github.com/rdratlos/racoon-ipsec-tools/tree/develop).

Ubuntu won't fix but there is at least a solution for Bionic and Focal that works well.