cbcvebase.
CVE-2023-41913
published 2023-12-07

CVE-2023-41913: strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.29%
81.1th percentile
strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.

Affected

13 ranges
VendorProductVersion rangeFixed in
debianstrongswan< strongswan 5.9.8-5+deb12u1 (bookworm)strongswan 5.9.8-5+deb12u1 (bookworm)
msrcazl3_strongswan_5.9.11-1_on_azure_linux_3.0
msrcazl3_strongswan_5.9.12-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_strongswan_5.9.10-3_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
strongswanstrongswan>= 0 < 5.9.1-1+deb11u45.9.1-1+deb11u4
strongswanstrongswan>= 0 < 5.9.8-5+deb12u15.9.8-5+deb12u1
strongswanstrongswan>= 0 < 5.9.12-15.9.12-1
strongswanstrongswan>= 0 < 5.9.12-15.9.12-1
strongswanstrongswan>= 5.3.0 < 5.9.125.9.12

Detection & IOCsextracted from sources · hover to see the quote

  • Attack vector is a crafted IKE_SA_INIT message containing a DH public value that exceeds the internal buffer in charon-tkm's DH proxy; monitor/filter IKEv2 IKE_SA_INIT exchanges for anomalously large DH public values
  • The vulnerable component is charon-tkm's DH proxy; focus detection on the charon-tkm process handling DH public values that exceed its internal buffer
  • ·Only deployments using charon-tkm (the TKM-based IKE daemon) are affected; standard charon deployments without TKM are not vulnerable
  • ·The vulnerability is exploitable pre-authentication, meaning no valid IKE credentials are required for an attacker to trigger the buffer overflow

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.