CVE-2024-3652 — Improper Resource Shutdown or Release in Libreswan

CWE-404 — Improper Resource Shutdown or Release CWE-617 — Reachable Assertion6 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 91.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libreswan Debian Libreswan THE Libreswan Project Libreswan +5 more

Timeline

PublishedApr 11

Latest updateApr 15

Description

The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line. When the peer requests AES-GMAC, libreswan's default proposal handler causes an assertion failure and crashes and restarts. IKEv2 connections are not affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages9 packages

▶CVEListV5the_libreswan_project/libreswan3.22 — 4.14

▶debiandebian/libreswan< libreswan 4.15-1 (forky)

▶NVDlibreswan/libreswan3.22 — 4.15

▶Debianlibreswan/libreswan< 4.15-1+1

▶msrcmsrc/azl3_libreswan_4.7-7_on_azure_linux_3.0

🔴Vulnerability Details

GHSA

GHSA-395v-96gv-76w3: The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line↗2024-04-11

▶

OSV

CVE-2024-3652: The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line↗2024-04-11

▶

📋Vendor Advisories

Red Hat

libreswan: IKEv1 default AH/ESP responder can crash and restart↗2024-04-15

▶

Microsoft

IKEv1 default AH/ESP responder can cause libreswan to abort and restart↗2024-04-09

▶

Debian

CVE-2024-3652: libreswan - The Libreswan Project was notified of an issue causing libreswan to restart when...↗2024

▶