CVE-2023-26463Improper Certificate Validation in Strongswan

CWE-295Improper Certificate ValidationCWE-476NULL Pointer DereferenceCWE-825Expired Pointer DereferenceCWE-1109Use of Same Variable for Multiple PurposesCWE-284Improper Access Control8 documents6 sources
Severity
9.8CRITICALNVD
EPSS
10.1%
top 6.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
StrongswanDebian StrongswanMsrc Cbl2 Strongswan 5.9.10-1 ON CBL Mariner 2.0+2 more
Timeline
PublishedApr 15

Description

strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

debiandebian/strongswan< strongswan 5.9.8-4 (bookworm)
Debianstrongswan/strongswan< 5.9.8-4+2
NVDstrongswan/strongswan5.9.8, 5.9.9+1

🔴Vulnerability Details

2
GHSA
GHSA-vcx9-7pcc-q8c7: strongSwan 52023-04-15
OSV
CVE-2023-26463: strongSwan 52023-04-15

📋Vendor Advisories

2
Microsoft
strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access c2023-04-11
Debian
CVE-2023-26463: strongswan - strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it u...2023

📐Framework References

3
CWE
Expired Pointer Dereference
CWE
Use of Same Variable for Multiple Purposes
CWE
Improper Access Control