CVE-2024-3652

Summary

The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line. When the peer requests AES-GMAC, libreswan's default proposal handler causes an assertion failure and crashes and restarts. IKEv2 connections are not affected.

Affected Software

VendorProductVersion RangeStatus
The Libreswan Project (www.libreswan.org)libreswan3.22 <= 4.14affected
The Libreswan Project (www.libreswan.org)libreswan5.0unaffected

Weaknesses

  • IKEv1 with default AH/ESP configuration can cause libreswan to abort and restart

Workarounds

As a workaround, adding an esp= line to all IKEv1 connections works around the issue. An example covering most common default configurations would be: esp=aes-sha2_512,aes-sha1,aes-sha2_256,aes-md5,3des-sha1,3des-md5.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References