OpenCVE

An issue was discovered in Libreswan 3.x and 4.x before 4.12. When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a NULL pointer dereference on the deleted state causes the pluto daemon to crash and restart.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Libreswan	Libreswan
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:libreswan:libreswan::::::::
	cpe:2.3:a:libreswan:libreswan::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
libreswan-0:4.12-2.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:7052	2023-11-14T00:00:00Z
Red Hat Enterprise Linux 9
libreswan-0:4.12-1.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:6549	2023-11-07T00:00:00Z

References

Link	Providers
https://github.com/libreswan/libreswan/releases/tag/v4.12
https://github.com/libreswan/libreswan/tags
https://libreswan.org/security/CVE-2023-38712/
https://libreswan.org/security/CVE-2023-38712/CVE-2023-38712.txt
https://nvd.nist.gov/vuln/detail/CVE-2023-38712
https://www.cve.org/CVERecord?id=CVE-2023-38712

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-08-25T00:00:00

Updated: 2024-08-02T17:46:56.799Z

Reserved: 2023-07-24T00:00:00

Link: CVE-2023-38712

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-08-25T21:15:08.293

Modified: 2023-12-11T19:57:46.587

Link: CVE-2023-38712

Redhat

Severity : Moderate

Publid Date: 2023-08-08T00:00:00Z

Links: CVE-2023-38712 - Bugzilla

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libreswan:libreswan:*:*:*:*:*:*:*:*", "matchCriteriaId": "8DF49694-9BD7-46A7-851B-F03CB49A9250", "versionEndExcluding": "4.0", "versionStartIncluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:libreswan:libreswan:*:*:*:*:*:*:*:*", "matchCriteriaId": "8923F14F-CAAA-402E-8549-8250C9CADA4A", "versionEndExcluding": "4.12", "versionStartIncluding": "4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Libreswan 3.x and 4.x before 4.12. When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a NULL pointer dereference on the deleted state causes the pluto daemon to crash and restart."}, {"lang": "es", "value": "Se ha descubierto un problema en Libreswan 3.x y 4.x antes de 4.12. Cuando un paquete IKEv1 ISAKMP SA Informational Exchange contiene una carga \u00fatil Delete/Notify seguida de m\u00e1s Notifies que act\u00faan sobre el ISAKMP SA, como un mensaje Delete/Notify duplicado, una desviaci\u00f3n de puntero NULL en el estado eliminado hace que el demonio pluto se bloquee y se reinicie.\n"}], "id": "CVE-2023-38712", "lastModified": "2023-12-11T19:57:46.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-25T21:15:08.293", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/libreswan/libreswan/tags"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://libreswan.org/security/CVE-2023-38712/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7052", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "libreswan-0:4.12-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}, {"advisory": "RHSA-2023:6549", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "libreswan-0:4.12-1.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}], "bugzilla": {"description": "libreswan: Invalid IKEv1 repeat IKE SA delete causes crash and restart", "id": "2225369", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2225369"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-476", "details": ["An issue was discovered in Libreswan 3.x and 4.x before 4.12. When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a NULL pointer dereference on the deleted state causes the pluto daemon to crash and restart.", "A NULL pointer dereference vulnerability was found in the Libreswan package. When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a NULL pointer dereference on the deleted state occurs. This flaw allows a malicious client or attacker to send a malformed IKEv1 Delete/Notify packet, causing a crash and restarting the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack."], "name": "CVE-2023-38712", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libreswan", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "openswan", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "libreswan", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2023-08-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-38712\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-38712\nhttps://github.com/libreswan/libreswan/releases/tag/v4.12\nhttps://libreswan.org/security/CVE-2023-38712/CVE-2023-38712.txt"], "statement": "IKEv1 Delete/Notify requests are only processed when received from authenticated peers, limiting the scope of possible attackers to peers who have successfully authenticated.", "threat_severity": "Moderate", "upstream_fix": "libreswan 4.12"}