CVE-2023-23009 — Uncontrolled Resource Consumption in Libreswan

CWE-400 — Uncontrolled Resource Consumption CWE-20 — Improper Input Validation6 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 36.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libreswan Debian Libreswan Debian Linux

Timeline

PublishedFeb 21

Description

Libreswan 4.9 allows remote attackers to cause a denial of service (assert failure and daemon restart) via crafted TS payload with an incorrect selector length.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/libreswan< libreswan 4.9-2 (bookworm)

▶Debianlibreswan/libreswan< 4.3-1+deb11u3+3

▶NVDlibreswan/libreswan4.9

Also affects: Debian Linux 11.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-3gxg-hfhr-6g9x: Libreswan 4↗2023-02-21

▶

CVEList

CVE-2023-23009: Libreswan 4↗2023-02-21

▶

OSV

CVE-2023-23009: Libreswan 4↗2023-02-21

▶

📋Vendor Advisories

Red Hat

libreswan: remote DoS via crafted TS payload with an incorrect selector length↗2023-02-21

▶

Debian

CVE-2023-23009: libreswan - Libreswan 4.9 allows remote attackers to cause a denial of service (assert failu...↗2023

▶