CVE-2024-3652

IKEv1 default AH/ESP responder can cause libreswan to abort and restart

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line. When the peer requests AES-GMAC, libreswan's default proposal handler causes an assertion failure and crashes and restarts. IKEv2 connections are not affected.

Se notificó a Libreswan Project sobre un problema que provocaba que libreswan se reiniciara al usar IKEv1 sin especificar una línea esp=. Cuando el par solicita AES-GMAC, el controlador de propuestas predeterminado de libreswan provoca un error de aserción, falla y se reinicia. Las conexiones IKEv2 no se ven afectadas.

A flaw was found in Libreswan, where it was identified to contain an assertion failure issue in the compute_proto_keymat() function. The vulnerability can be exploited when an IKEv1 connection is loaded with an AH/ESP default setting when no esp= line is present in the connection. This flaw allows an authenticated attacker to send the bogus AES-GMAC proposal request, triggering the issue and causing Libreswan to crash and restart. When this connection is automatically added on startup using the auto= keyword, it can cause repeated crashes, leading to a denial of service. No remote code execution is possible.

*Credits: github user X1AOxiang

CVSS Scores

Red Hatv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-11 CVE Reserved
2024-04-11 CVE Published
2024-04-11 EPSS Updated
2024-06-22 First Exploit
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-617: Reachable Assertion

CAPEC

References (5)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/04/18/2

URL	Date	SRC
https://github.com/bigb0x/CVE-2024-36527	2024-06-22

URL	Date	SRC

URL	Date	SRC
https://libreswan.org/security/CVE-2024-3652	2024-05-01
https://access.redhat.com/security/cve/CVE-2024-3652	2024-07-09
https://bugzilla.redhat.com/show_bug.cgi?id=2274448	2024-07-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
The Libreswan Project (www.libreswan.org) Search vendor "The Libreswan Project (www.libreswan.org)"		Libreswan Search vendor "The Libreswan Project (www.libreswan.org)" for product "Libreswan"				>= 3.22 <= 4.14 Search vendor "The Libreswan Project (www.libreswan.org)" for product "Libreswan" and version " >= 3.22 <= 4.14"		en		Affected