CVE-2023-26463
published 2023-04-15CVE-2023-26463: strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.26%
80.8th percentile
strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | strongswan | < strongswan 5.9.8-4 (bookworm) | strongswan 5.9.8-4 (bookworm) |
| msrc | cbl2_strongswan_5.9.10-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| strongswan | strongswan | — | — |
| strongswan | strongswan | — | — |
| strongswan | strongswan | >= 0 < 5.9.8-4 | 5.9.8-4 |
| strongswan | strongswan | >= 0 < 5.9.8-4 | 5.9.8-4 |
| strongswan | strongswan | >= 0 < 5.9.8-4 | 5.9.8-4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Attack vector is sending an untrusted client certificate during EAP-TLS negotiation; monitor for TLS-based EAP authentication attempts from untrusted or unexpected certificate authorities ↗
- →Only strongSwan servers loading TLS-based EAP plugins are exploitable; audit plugin configurations for EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC ↗
- ·A server is only exploitable if it is configured to load at least one TLS-based EAP plugin (EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-TNC); servers not loading these plugins are not affected. ↗
- ·The vulnerability stems from a variable named 'public' being reused for two different purposes in the same function, leading to incorrect access control followed by an expired pointer dereference — patch analysis should focus on this specific code path. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vcx9-7pcc-q8c7: strongSwan 5
ghsa_unreviewed·2023-04-15
CVE-2023-26463 [CRITICAL] CWE-295 GHSA-vcx9-7pcc-q8c7: strongSwan 5
strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10.
OSV
CVE-2023-26463: strongSwan 5
osv·2023-04-15·CVSS 9.8
CVE-2023-26463 [CRITICAL] CVE-2023-26463: strongSwan 5
strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10.
Microsoft
strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access c
vendor_msrc·2023-04-11·CVSS 9.8
CVE-2023-26463 [CRITICAL] CWE-476 strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access c
strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS EAP-TTLS EAP-PEAP or EAP-TNC). This is fixed in 5.9.10.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions o
Debian
CVE-2023-26463: strongswan - strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it u...
vendor_debian·2023·CVSS 9.8
CVE-2023-26463 [CRITICAL] CVE-2023-26463: strongswan - strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it u...
strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10.
Scope: local
bookworm: resolved (fixed in 5.9.8-4)
bullseye: resolved
forky: resolved (fixed in 5.9.8-4)
sid: resolved (fixed in 5.9.8-4)
trixie: resolved (fixed in 5.9.8-4)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Expired Pointer Dereference
mitre_cwe
CWE-825 Expired Pointer Dereference
CWE-825: Expired Pointer Dereference
The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
When a product releases memory, but it maintains a pointer to that memory, then the memory might be re-allocated at a later time. If the original pointer is accessed to read or write data, then this could cause the product to read or modify data that is in use by a different function or process. Depending on how the newly-allocated memory is used, this could lead to a denial of service, information exposure, or code execution.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Confidentiality. Impact: Read Memory. If the expired pointer is used in a read operation, an attacker might be able to control data r
CWE
Use of Same Variable for Multiple Purposes
mitre_cwe·CVSS 9.8
[CRITICAL] CWE-1109 Use of Same Variable for Multiple Purposes
CWE-1109: Use of Same Variable for Multiple Purposes
The code contains a callable, block, or other code element in
which the same variable is used to control more than one unique task or store
more than one instance of data.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Other. Impact: Reduce Maintainability. This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities.
Scope: Other. Impact: Increase Analytical Complexity. Use of the same variable for multiple purposes can make it more difficult for a person to read or understand the code, potentially hiding other quality issues.
Observed E
CWE
Improper Access Control
mitre_cwe
CWE-284 Improper Access Control
CWE-284: Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Access control involves the use of several protection mechanisms such as: Authentication (proving the identity of an actor) Authorization (ensuring that a given actor can access a resource), and Accountability (tracking of activities that were performed) When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses: Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for either the user or the reso
https://github.com/strongswan/strongswan/releaseshttps://security.netapp.com/advisory/ntap-20230517-0010/https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-%28cve-2023-26463%29.htmlhttps://github.com/strongswan/strongswan/releaseshttps://security.netapp.com/advisory/ntap-20230517-0010/https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-%28cve-2023-26463%29.html
2023-04-15
Published