CVE-2024-2357 — Uncontrolled Resource Consumption in Libreswan

CWE-400 — Uncontrolled Resource Consumption5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.6%

top 31.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libreswan Debian Libreswan THE Libreswan Project Libreswan

Timeline

PublishedMar 11

Description

The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5the_libreswan_project/libreswan4.2 — 4.12

▶debiandebian/libreswan< libreswan 4.14-1 (forky)

▶Debianlibreswan/libreswan< 4.14-1+1

🔴Vulnerability Details

OSV

CVE-2024-2357: The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to u↗2024-03-11

▶

GHSA

GHSA-77h7-8788-mfv3: The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to u↗2024-03-11

▶

📋Vendor Advisories

Red Hat

libreswan: Missing PreSharedKey for connection can cause crash↗2024-03-11

▶

Debian

CVE-2024-2357: libreswan - The Libreswan Project was notified of an issue causing libreswan to restart unde...↗2024

▶