CVE-2023-38710

An issue was discovered in Libreswan before 4.12. When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart. NOTE: the earliest affected version is 3.20.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/libreswan/libreswan/tags	Third Party Advisory
https://libreswan.org/security/CVE-2023-38710/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:libreswan:libreswan:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-08-25 21:15

Updated : 2023-12-11 19:34

NVD link : CVE-2023-38710

Mitre link : CVE-2023-38710

CVE.ORG link : CVE-2023-38710

JSON object : View

Products Affected

libreswan

libreswan

CWE

NVD-CWE-noinfo

{"id": "CVE-2023-38710", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-08-25T21:15:08.167", "references": [{"url": "https://github.com/libreswan/libreswan/tags", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://libreswan.org/security/CVE-2023-38710/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Libreswan before 4.12. When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart. NOTE: the earliest affected version is 3.20."}, {"lang": "es", "value": "Se ha descubierto un problema en Libreswan anterior a 4.12. Cuando un paquete IKEv2 Child SA REKEY contiene un n\u00famero de ID de protocolo IPsec no v\u00e1lido de 0 o 1, se devuelve una notificaci\u00f3n de error INVALID_SPI. El ID de protocolo de la carga \u00fatil de la notificaci\u00f3n se copia del paquete entrante, pero el c\u00f3digo que verifica los paquetes salientes falla en la afirmaci\u00f3n de que el ID de protocolo debe ser ESP (2) o AH(3) y hace que el demonio pluto se bloquee y reinicie. NOTA: la primera versi\u00f3n afectada es la 3.20.\n"}], "lastModified": "2023-12-11T19:34:38.997", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:libreswan:libreswan:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6FD4136B-12B7-4FCA-B643-47F5FEA652EA", "versionEndExcluding": "4.12", "versionStartIncluding": "3.20"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}