{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2357", "assignerOrgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "state": "PUBLISHED", "assignerShortName": "libreswan", "dateReserved": "2024-03-09T22:24:12.530Z", "datePublished": "2024-03-11T19:39:03.280Z", "dateUpdated": "2025-02-13T17:39:47.355Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "shortName": "libreswan", "dateUpdated": "2024-03-23T02:06:57.682Z"}, "title": "IKEv2 misconfiguration can cause libreswan to abort and restart", "datePublic": "2024-03-11T14:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "description": "IKEv2 misconfiguration can cause libreswan to abort and restart"}]}], "affected": [{"vendor": "The Libreswan Project (www.libreswan.org)", "product": "libreswan", "versions": [{"version": "3.0", "status": "unaffected", "lessThanOrEqual": "4.1", "versionType": "semver"}, {"version": "4.2", "status": "affected", "lessThanOrEqual": "4.12", "versionType": "semver"}, {"version": "5.0", "status": "unaffected"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service."}], "solutions": [{"lang": "en", "value": "This issue is fixed in 4.13, 5.0 and all later versions."}], "workarounds": [{"lang": "en", "value": "As a workaround, one can place an unguessable long random default secret in /etc/ipsec.secrets, for example using the following command:\n\n echo -e \"# CVE-2024-2357 workaround\n: PSK \"$(openssl rand -hex 32)\"\" >> /etc/ipsec.secrets\n\nThis will ensure a PSK secret is always found, but it will always be wrong, and thus authentication will still properly fail."}], "configurations": [{"lang": "en", "value": "The vulnerability can only be triggered for connections with ikev2=yes and authby=secret"}], "timeline": [{"time": "2024-02-08T00:00:00.000Z", "lang": "en", "value": "Issue reported publicly via https://github.com/libreswan/libreswan/issues/1609"}, {"time": "2024-02-14T00:00:00.000Z", "lang": "en", "value": "Workaround posted in the github issue"}, {"time": "2024-02-15T00:00:00.000Z", "lang": "en", "value": "Fix published (as issue was already public via githb issue)"}, {"time": "2024-03-09T00:00:00.000Z", "lang": "en", "value": "Advanced notice given to support customers and distributions"}, {"time": "2024-03-11T00:00:00.000Z", "lang": "en", "value": "CVE-2024-2357 published"}], "credits": [{"lang": "en", "value": "Andrew Vaughn", "type": "finder"}], "references": [{"url": "https://libreswan.org/security/CVE-2024-2357", "name": "CVE-2024-2357", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJZJYFHKBIJ4ZK5GAWWFFR3AKJS6O5JX/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEM46ALKF7NG6CAUKZ7KQERVOHWQIQKY/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TVQ7MZY6LFFGRWAJNTKKN2VSEFS2VPAR/"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-03-12T16:21:48.798359Z", "id": "CVE-2024-2357", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-20T17:25:31.624Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.507Z"}, "title": "CVE Program Container", "references": [{"url": "https://libreswan.org/security/CVE-2024-2357", "name": "CVE-2024-2357", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJZJYFHKBIJ4ZK5GAWWFFR3AKJS6O5JX/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEM46ALKF7NG6CAUKZ7KQERVOHWQIQKY/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TVQ7MZY6LFFGRWAJNTKKN2VSEFS2VPAR/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://libreswan.org/security/CVE-2024-2357", "name": "CVE-2024-2357", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJZJYFHKBIJ4ZK5GAWWFFR3AKJS6O5JX/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEM46ALKF7NG6CAUKZ7KQERVOHWQIQKY/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TVQ7MZY6LFFGRWAJNTKKN2VSEFS2VPAR/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.507Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-2357", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-12T16:21:48.798359Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:41.758Z"}}], "cna": {"title": "IKEv2 misconfiguration can cause libreswan to abort and restart", "credits": [{"lang": "en", "type": "finder", "value": "Andrew Vaughn"}], "affected": [{"vendor": "The Libreswan Project (www.libreswan.org)", "product": "libreswan", "versions": [{"status": "unaffected", "version": "3.0", "versionType": "semver", "lessThanOrEqual": "4.1"}, {"status": "affected", "version": "4.2", "versionType": "semver", "lessThanOrEqual": "4.12"}, {"status": "unaffected", "version": "5.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-02-08T00:00:00.000Z", "value": "Issue reported publicly via https://github.com/libreswan/libreswan/issues/1609"}, {"lang": "en", "time": "2024-02-14T00:00:00.000Z", "value": "Workaround posted in the github issue"}, {"lang": "en", "time": "2024-02-15T00:00:00.000Z", "value": "Fix published (as issue was already public via githb issue)"}, {"lang": "en", "time": "2024-03-09T00:00:00.000Z", "value": "Advanced notice given to support customers and distributions"}, {"lang": "en", "time": "2024-03-11T00:00:00.000Z", "value": "CVE-2024-2357 published"}], "solutions": [{"lang": "en", "value": "This issue is fixed in 4.13, 5.0 and all later versions."}], "datePublic": "2024-03-11T14:00:00.000Z", "references": [{"url": "https://libreswan.org/security/CVE-2024-2357", "name": "CVE-2024-2357", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJZJYFHKBIJ4ZK5GAWWFFR3AKJS6O5JX/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEM46ALKF7NG6CAUKZ7KQERVOHWQIQKY/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TVQ7MZY6LFFGRWAJNTKKN2VSEFS2VPAR/"}], "workarounds": [{"lang": "en", "value": "As a workaround, one can place an unguessable long random default secret in /etc/ipsec.secrets, for example using the following command:\n\n echo -e \"# CVE-2024-2357 workaround\n: PSK \"$(openssl rand -hex 32)\"\" >> /etc/ipsec.secrets\n\nThis will ensure a PSK secret is always found, but it will always be wrong, and thus authentication will still properly fail."}], "descriptions": [{"lang": "en", "value": "The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "IKEv2 misconfiguration can cause libreswan to abort and restart"}]}], "configurations": [{"lang": "en", "value": "The vulnerability can only be triggered for connections with ikev2=yes and authby=secret"}], "providerMetadata": {"orgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "shortName": "libreswan", "dateUpdated": "2024-03-23T02:06:57.682Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2357", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:39:47.355Z", "dateReserved": "2024-03-09T22:24:12.530Z", "assignerOrgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "datePublished": "2024-03-11T19:39:03.280Z", "assignerShortName": "libreswan"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service."}, {"lang": "es", "value": "Se notific\u00f3 a Libreswan Project sobre un problema que causaba que libreswan se reiniciara en algunos escenarios de retransmisi\u00f3n de IKEv2 cuando una conexi\u00f3n est\u00e1 configurada para usar PreSharedKeys (authby=secret) y la conexi\u00f3n no puede encontrar un secreto configurado coincidente. Cuando dicha conexi\u00f3n se agrega autom\u00e1ticamente al inicio usando la palabra clave auto=, puede causar fallas repetidas que conducen a una denegaci\u00f3n de servicio."}], "id": "CVE-2024-2357", "lastModified": "2024-11-21T09:09:35.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-03-11T20:15:07.867", "references": [{"source": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "url": "https://libreswan.org/security/CVE-2024-2357"}, {"source": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJZJYFHKBIJ4ZK5GAWWFFR3AKJS6O5JX/"}, {"source": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEM46ALKF7NG6CAUKZ7KQERVOHWQIQKY/"}, {"source": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TVQ7MZY6LFFGRWAJNTKKN2VSEFS2VPAR/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://libreswan.org/security/CVE-2024-2357"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJZJYFHKBIJ4ZK5GAWWFFR3AKJS6O5JX/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEM46ALKF7NG6CAUKZ7KQERVOHWQIQKY/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TVQ7MZY6LFFGRWAJNTKKN2VSEFS2VPAR/"}], "sourceIdentifier": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "vulnStatus": "Awaiting Analysis"}

{"acknowledgement": "Red Hat would like to thank Andrew Vaughn for reporting this issue.", "affected_release": [{"advisory": "RHSA-2024:1998", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "libreswan-0:4.12-2.el8_9.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-04-23T00:00:00Z"}, {"advisory": "RHSA-2024:2082", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "libreswan-0:4.5-1.el8_6.2", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2081", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "libreswan-0:4.9-3.el8_8.1", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2033", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "libreswan-0:4.12-1.el9_3.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-24T00:00:00Z"}, {"advisory": "RHSA-2024:2565", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "libreswan-0:4.12-2.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:10594", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "libreswan-0:4.6-3.el9_0.3", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-12-02T00:00:00Z"}, {"advisory": "RHSA-2024:2085", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "libreswan-0:4.9-5.el9_2.1", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHBA-2024:11565", "cpe": "cpe:/a:redhat:openshift:4.15::el9", "package": "libreswan-0:4.6-3.el9_0.3", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2025-01-02T00:00:00Z"}, {"advisory": "RHBA-2024:11505", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "libreswan-0:4.6-3.el9_0.3", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-01-02T00:00:00Z"}, {"advisory": "RHBA-2024:11525", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "libreswan-0:4.6-3.el9_0.3", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-01-02T00:00:00Z"}], "bugzilla": {"description": "libreswan: Missing PreSharedKey for connection can cause crash", "id": "2268952", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268952"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service.", "A flaw was found in Libreswan. This issue causes Libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret), and the connection cannot find a matching configured secret. When automatically added on startup using the auto= keyword, it can cause repeated crashes, leading to a denial of service."], "mitigation": {"lang": "en:us", "value": "As a workaround to prevent the misconfiguration from causing the crash, place an unguessable long random \"catch-all\" secret in /etc/ipsec.secrets, for example, using the following command:\necho -e \"# CVE-2024-2357 workaround\\n: PSK \\\"$(openssl rand -hex 32)\\\"\" >> /etc/ipsec.secrets\nThis will ensure a PSK secret is always found, but it will always be wrong, and thus authentication will still properly fail."}, "name": "CVE-2024-2357", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libreswan", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "libreswan", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2024-03-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-2357\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-2357\nhttps://github.com/libreswan/libreswan/commit/cb9e1047d33fde695d63a95854c2bc2470a476c8.patch\nhttps://libreswan.org/security/CVE-2024-2357"], "statement": "Libreswan may restart repeatedly under certain IKEv2 retransmission scenarios when using PreSharedKeys (authby=secret) if the connection cannot find a matching configured secret. If such a connection is added automatically on startup using the auto= keyword, it can lead to repeated crashes, causing a denial of service. The vulnerability arises when IKEv2 fails to find its PreSharedKey for the AUTH payload in the IKE_AUTH Exchange, resulting in assertion failure and daemon crashes. This vulnerability is triggered by local misconfiguration, and there is no known exploitation by external peers.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nRed Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.", "threat_severity": "Moderate"}

{}