CVE-2024-2357

Summary

The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service.

Affected Software

VendorProductVersion RangeStatus
The Libreswan Project (www.libreswan.org)libreswan3.0 <= 4.1unaffected
The Libreswan Project (www.libreswan.org)libreswan4.2 <= 4.12affected
The Libreswan Project (www.libreswan.org)libreswan5.0unaffected

Weaknesses

  • IKEv2 misconfiguration can cause libreswan to abort and restart

Workarounds

As a workaround, one can place an unguessable long random default secret in /etc/ipsec.secrets, for example using the following command:

echo -e "# CVE-2024-2357 workaround
PSK "$(openssl rand -hex 32)"" >> /etc/ipsec.secrets

This will ensure a PSK secret is always found, but it will always be wrong, and thus authentication will still properly fail.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References