IPSEC Vulnerability: Billion 8900x R3 and 8700vax ipsec issue port 500 (Affects all Billion routers with IPSEC)

[zzwsimon]

Devices:
BILLLION BIPAC 8900X R3 (firmware: 2.52.d15) and 8700VAX (firmware: 2.52.d17)
(Affects all Billion routers with IPSEC)

Issue:
IPSEC tunnels failing and needs to be manually restarted.

Cause:
External intruder attacks on port 500 of ALL models of Billion routers with latest firmware. Similar to CVE-2023-28771.
IPSEC service fails and does not re-establish IPSEC tunnels without manual intervention

Details:
External attacker flooding port 500 causing buffer overload on CPU. Causes Openswan IPSEC service to stop and restart, however IPSEC tunnels are not automatically re-established

Jul 31 05:50:57 authpriv warn pluto[11027]: packet from 213.109.84.253:500:
Jul 31 05:50:57 authpriv warn pluto[11027]: packet from 213.109.84.253:500: ABORT at /root/BRCM/W416L05_2305/userspace/public/apps/openswan-2.6.38/programs/pluto/ikev2.c:909
Jul 31 05:50:57 authpriv warn pluto[11027]: packet from 213.109.84.253:500: ABORT at /root/BRCM/W416L05_2305/userspace/public/apps/openswan-2.6.38/programs/pluto/ikev2.c:909
Jul 31 05:50:57 kern warn kernel: pluto/11027: potentially unexpected fatal signal 6.
Jul 31 05:50:57 kern warn kernel: Cpu 1
Jul 31 05:50:57 kern warn kernel: $ 0 :
Jul 31 05:50:57 kern info kernel: 00000000
Jul 31 05:50:57 kern info kernel: 10008d00
Jul 31 05:50:57 kern info kernel: 00000000 00000000
Jul 31 05:50:57 kern warn kernel: $ 4 : 00002b13
Jul 31 05:50:57 kern info kernel: 00000006 00000000 00000000
Jul 31 05:50:57 kern warn kernel: $ 8 : 00000000 76fd8000 0000002e 0000000a
Jul 31 05:50:57 kern warn kernel: $12 : 00000000
Jul 31 05:50:57 kern info kernel: 00000080
Jul 31 05:50:57 kern info kernel: 00000049 00000064
Jul 31 05:50:57 kern warn kernel: $16 : 76ff8000
Jul 31 05:50:57 kern info kernel: 76fe8000
Jul 31 05:50:57 kern info kernel: 00000016 0051d9b0
Jul 31 05:50:57 kern warn kernel: $20 : 00520000
Jul 31 05:50:57 kern info kernel: 00d109f8
Jul 31 05:50:57 kern info kernel: 005182f0
Jul 31 05:50:57 kern info kernel: 00000001
Jul 31 05:50:57 kern warn kernel: $24 :
Jul 31 05:50:57 kern info kernel: 00000000
Jul 31 05:50:57 kern info kernel: 76f85e80
Jul 31 05:50:57 kern info kernel:
Jul 31 05:50:57 kern info kernel:
Jul 31 05:50:57 kern warn kernel: $28 :
Jul 31 05:50:57 kern info kernel: 76ff74d0
Jul 31 05:50:57 kern info kernel: 7fd2e870
Jul 31 05:50:57 kern info kernel: 0051c224
Jul 31 05:50:57 kern info kernel: 76fca9c4
Jul 31 05:50:57 kern warn kernel: Hi : 00000000
Jul 31 05:50:57 kern warn kernel: Lo : 0000000a
Jul 31 05:50:57 kern warn kernel: epc : 76f85ea4 0x76f85ea4
Jul 31 05:50:57 kern warn kernel: Tainted: P
Jul 31 05:50:57 kern warn kernel: ra : 76fca9c4 0x76fca9c4
Jul 31 05:50:57 kern warn kernel: Status: 00008d13
Jul 31 05:50:57 kern info kernel: USER
Jul 31 05:50:57 kern info kernel: EXL
Jul 31 05:50:57 kern info kernel: IE
Jul 31 05:50:57 kern warn kernel: Cause : 00000020
Jul 31 05:50:57 kern warn kernel: PrId : 0002a080 (Broadcom BMIPS4350)
Jul 31 05:50:57 authpriv warn pluto[11029]: pluto_crypto_helper: helper (0) is normal exiting
Jul 31 05:50:57 daemon err ipsec__plutorun: Aborted
Jul 31 05:50:57 daemon err ipsec__plutorun: !pluto failure!: exited with error status 134 (signal 6)
Jul 31 05:50:57 daemon err ipsec__plutorun: restarting IPsec after pause...
Jul 31 05:51:08 daemon err ipsec_setup: Stopping Openswan IPsec...
Jul 31 05:51:08 daemon err ipsec_setup: Removing orphaned /var/run/pluto/pluto.pid:
Jul 31 05:51:09 daemon err ipsec_setup: ...Openswan IPsec stopped
Jul 31 05:51:10 daemon err ipsec_setup: Starting Openswan IPsec U2.6.38/K3.4.11-rt19...
Jul 31 05:51:10 daemon err ipsec_setup: Using NETKEY(XFRM) stack
Jul 31 05:51:13 authpriv err ipsec__plutorun: Starting Pluto subsystem...
Jul 31 05:51:13 daemon err ipsec_setup: ...Openswan IPsec started

[billion_fan]

Devices:
BILLLION BIPAC 8900X R3 (firmware: 2.52.d15) and 8700VAX (firmware: 2.52.d17)
(Affects all Billion routers with IPSEC)

Issue:
IPSEC tunnels failing and needs to be manually restarted.

Cause:
External intruder attacks on port 500 of ALL models of Billion routers with latest firmware. Similar to CVE-2023-28771.
IPSEC service fails and does not re-establish IPSEC tunnels without manual intervention

Details:
External attacker flooding port 500 causing buffer overload on CPU. Causes Openswan IPSEC service to stop and restart, however IPSEC tunnels are not automatically re-established

Jul 31 05:50:57 authpriv warn pluto[11027]: packet from 213.109.84.253:500:
Jul 31 05:50:57 authpriv warn pluto[11027]: packet from 213.109.84.253:500: ABORT at /root/BRCM/W416L05_2305/userspace/public/apps/openswan-2.6.38/programs/pluto/ikev2.c:909
Jul 31 05:50:57 authpriv warn pluto[11027]: packet from 213.109.84.253:500: ABORT at /root/BRCM/W416L05_2305/userspace/public/apps/openswan-2.6.38/programs/pluto/ikev2.c:909
Jul 31 05:50:57 kern warn kernel: pluto/11027: potentially unexpected fatal signal 6.
Jul 31 05:50:57 kern warn kernel: Cpu 1
Jul 31 05:50:57 kern warn kernel: $ 0 :
Jul 31 05:50:57 kern info kernel: 00000000
Jul 31 05:50:57 kern info kernel: 10008d00
Jul 31 05:50:57 kern info kernel: 00000000 00000000
Jul 31 05:50:57 kern warn kernel: $ 4 : 00002b13
Jul 31 05:50:57 kern info kernel: 00000006 00000000 00000000
Jul 31 05:50:57 kern warn kernel: $ 8 : 00000000 76fd8000 0000002e 0000000a
Jul 31 05:50:57 kern warn kernel: $12 : 00000000
Jul 31 05:50:57 kern info kernel: 00000080
Jul 31 05:50:57 kern info kernel: 00000049 00000064
Jul 31 05:50:57 kern warn kernel: $16 : 76ff8000
Jul 31 05:50:57 kern info kernel: 76fe8000
Jul 31 05:50:57 kern info kernel: 00000016 0051d9b0
Jul 31 05:50:57 kern warn kernel: $20 : 00520000
Jul 31 05:50:57 kern info kernel: 00d109f8
Jul 31 05:50:57 kern info kernel: 005182f0
Jul 31 05:50:57 kern info kernel: 00000001
Jul 31 05:50:57 kern warn kernel: $24 :
Jul 31 05:50:57 kern info kernel: 00000000
Jul 31 05:50:57 kern info kernel: 76f85e80
Jul 31 05:50:57 kern info kernel:
Jul 31 05:50:57 kern info kernel:
Jul 31 05:50:57 kern warn kernel: $28 :
Jul 31 05:50:57 kern info kernel: 76ff74d0
Jul 31 05:50:57 kern info kernel: 7fd2e870
Jul 31 05:50:57 kern info kernel: 0051c224
Jul 31 05:50:57 kern info kernel: 76fca9c4
Jul 31 05:50:57 kern warn kernel: Hi : 00000000
Jul 31 05:50:57 kern warn kernel: Lo : 0000000a
Jul 31 05:50:57 kern warn kernel: epc : 76f85ea4 0x76f85ea4
Jul 31 05:50:57 kern warn kernel: Tainted: P
Jul 31 05:50:57 kern warn kernel: ra : 76fca9c4 0x76fca9c4
Jul 31 05:50:57 kern warn kernel: Status: 00008d13
Jul 31 05:50:57 kern info kernel: USER
Jul 31 05:50:57 kern info kernel: EXL
Jul 31 05:50:57 kern info kernel: IE
Jul 31 05:50:57 kern warn kernel: Cause : 00000020
Jul 31 05:50:57 kern warn kernel: PrId : 0002a080 (Broadcom BMIPS4350)
Jul 31 05:50:57 authpriv warn pluto[11029]: pluto_crypto_helper: helper (0) is normal exiting
Jul 31 05:50:57 daemon err ipsec__plutorun: Aborted
Jul 31 05:50:57 daemon err ipsec__plutorun: !pluto failure!: exited with error status 134 (signal 6)
Jul 31 05:50:57 daemon err ipsec__plutorun: restarting IPsec after pause...
Jul 31 05:51:08 daemon err ipsec_setup: Stopping Openswan IPsec...
Jul 31 05:51:08 daemon err ipsec_setup: Removing orphaned /var/run/pluto/pluto.pid:
Jul 31 05:51:09 daemon err ipsec_setup: ...Openswan IPsec stopped
Jul 31 05:51:10 daemon err ipsec_setup: Starting Openswan IPsec U2.6.38/K3.4.11-rt19...
Jul 31 05:51:10 daemon err ipsec_setup: Using NETKEY(XFRM) stack
Jul 31 05:51:13 authpriv err ipsec__plutorun: Starting Pluto subsystem...
Jul 31 05:51:13 daemon err ipsec_setup: ...Openswan IPsec started

Reported to our engineers

[zzwsimon]

Engineers have provided test firmware for model 8700vax and 8900xR3 and the issue has been resolved keeping the IPSEC tunnels secure and stable.