CVE-2024-3652

IKEv1 default AH/ESP responder can cause libreswan to abort and restart

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line. When the peer requests AES-GMAC, libreswan's default proposal handler causes an assertion failure and crashes and restarts. IKEv2 connections are not affected.

Se notificó a Libreswan Project sobre un problema que provocaba que libreswan se reiniciara al usar IKEv1 sin especificar una línea esp=. Cuando el par solicita AES-GMAC, el controlador de propuestas predeterminado de libreswan provoca un error de aserción, falla y se reinicia. Las conexiones IKEv2 no se ven afectadas.

A flaw was found in Libreswan, where it was identified to contain an assertion failure issue in the compute_proto_keymat() function. The vulnerability can be exploited when an IKEv1 connection is loaded with an AH/ESP default setting when no esp= line is present in the connection. This flaw allows an authenticated attacker to send the bogus AES-GMAC proposal request, triggering the issue and causing Libreswan to crash and restart. When this connection is automatically added on startup using the auto= keyword, it can cause repeated crashes, leading to a denial of service. No remote code execution is possible.

An update for libreswan is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

*Credits: github user X1AOxiang

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-11 CVE Reserved
2024-04-11 CVE Published
2024-06-22 First Exploit
2025-02-13 CVE Updated
2025-04-05 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-404: Improper Resource Shutdown or Release
CWE-617: Reachable Assertion

CAPEC

References (5)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/04/18/2

URL	Date	SRC
https://github.com/bigb0x/CVE-2024-36527	2024-06-22

URL	Date	SRC

URL	Date	SRC
https://libreswan.org/security/CVE-2024-3652	2024-05-01
https://access.redhat.com/security/cve/CVE-2024-3652	2024-07-09
https://bugzilla.redhat.com/show_bug.cgi?id=2274448	2024-07-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
The Libreswan Project (www.libreswan.org) Search vendor "The Libreswan Project (www.libreswan.org)"		Libreswan Search vendor "The Libreswan Project (www.libreswan.org)" for product "Libreswan"				>= 3.22 <= 4.14 Search vendor "The Libreswan Project (www.libreswan.org)" for product "Libreswan" and version " >= 3.22 <= 4.14"		en		Affected