cbcvebase.
CVE-2023-26463
published 2023-04-15

CVE-2023-26463: strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.26%
80.8th percentile
strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianstrongswan< strongswan 5.9.8-4 (bookworm)strongswan 5.9.8-4 (bookworm)
msrccbl2_strongswan_5.9.10-1_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
strongswanstrongswan
strongswanstrongswan
strongswanstrongswan>= 0 < 5.9.8-45.9.8-4
strongswanstrongswan>= 0 < 5.9.8-45.9.8-4
strongswanstrongswan>= 0 < 5.9.8-45.9.8-4

Detection & IOCsextracted from sources · hover to see the quote

  • Attack vector is sending an untrusted client certificate during EAP-TLS negotiation; monitor for TLS-based EAP authentication attempts from untrusted or unexpected certificate authorities
  • Only strongSwan servers loading TLS-based EAP plugins are exploitable; audit plugin configurations for EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC
  • ·A server is only exploitable if it is configured to load at least one TLS-based EAP plugin (EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-TNC); servers not loading these plugins are not affected.
  • ·The vulnerability stems from a variable named 'public' being reused for two different purposes in the same function, leading to incorrect access control followed by an expired pointer dereference — patch analysis should focus on this specific code path.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.