CVE-2024-3652
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line. When the peer requests AES-GMAC, libreswan's default proposal handler causes an assertion failure and crashes and restarts. IKEv2 connections are not affected.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| The Libreswan Project (www.libreswan.org) | libreswan | 3.22 <= 4.14 | affected |
| The Libreswan Project (www.libreswan.org) | libreswan | 5.0 | unaffected |
Weaknesses
- IKEv1 with default AH/ESP configuration can cause libreswan to abort and restart
Workarounds
As a workaround, adding an esp= line to all IKEv1 connections works around the issue. An example covering most common default configurations would be: esp=aes-sha2_512,aes-sha1,aes-sha2_256,aes-md5,3des-sha1,3des-md5.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.