{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3652", "assignerOrgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "state": "PUBLISHED", "assignerShortName": "libreswan", "dateReserved": "2024-04-11T01:28:41.331Z", "datePublished": "2024-04-11T01:32:13.433Z", "dateUpdated": "2024-08-01T20:19:59.933Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "shortName": "libreswan", "dateUpdated": "2024-04-11T01:32:13.433Z"}, "title": "IKEv1 default AH/ESP responder can cause libreswan to abort and restart", "datePublic": "2024-04-12T21:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "description": "IKEv1 with default AH/ESP configuration can cause libreswan to abort and restart"}]}], "affected": [{"vendor": "The Libreswan Project (www.libreswan.org)", "product": "libreswan", "versions": [{"version": "3.22", "status": "affected", "lessThanOrEqual": "4.14", "versionType": "semver"}, {"version": "5.0", "status": "unaffected"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line. When the peer requests AES-GMAC, libreswan's default proposal handler causes an assertion failure and crashes and restarts. IKEv2 connections are not affected."}], "solutions": [{"lang": "en", "value": "This issue is fixed in 4.15 and all later versions."}], "workarounds": [{"lang": "en", "value": "As a workaround, adding an esp= line to all IKEv1 connections works around the issue. An example covering most common default configurations would be: esp=aes-sha2_512,aes-sha1,aes-sha2_256,aes-md5,3des-sha1,3des-md5. "}], "configurations": [{"lang": "en", "value": "The vulnerability can only be triggered for connections with ikev2=no that do not specify an esp= option."}], "timeline": [{"time": "2024-03-24T00:00:00.000Z", "lang": "en", "value": "Issue reported publicly by github user X1AOxiang via https://github.com/libreswan/libreswan/issues/1665"}, {"time": "2024-03-27T00:00:00.000Z", "lang": "en", "value": "Fix published in commit 03caa63de1e3 (as issue was already public via githb issue)"}, {"time": "2024-04-10T00:00:00.000Z", "lang": "en", "value": "Advanced notice given to support customers and distributions"}, {"time": "2024-04-12T00:00:00.000Z", "lang": "en", "value": "CVE-2024-3652 published"}], "credits": [{"lang": "en", "value": "github user X1AOxiang", "type": "finder"}], "references": [{"url": "https://libreswan.org/security/CVE-2024-3652", "name": "CVE-2024-3652", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/18/2"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3652", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-11T17:26:47.015453Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:32:30.853Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:19:59.933Z"}, "title": "CVE Program Container", "references": [{"url": "https://libreswan.org/security/CVE-2024-3652", "name": "CVE-2024-3652", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/18/2", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://libreswan.org/security/CVE-2024-3652", "name": "CVE-2024-3652", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/18/2", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:19:59.933Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3652", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-11T17:26:47.015453Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:23.347Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "IKEv1 default AH/ESP responder can cause libreswan to abort and restart", "credits": [{"lang": "en", "type": "finder", "value": "github user X1AOxiang"}], "affected": [{"vendor": "The Libreswan Project (www.libreswan.org)", "product": "libreswan", "versions": [{"status": "affected", "version": "3.22", "versionType": "semver", "lessThanOrEqual": "4.14"}, {"status": "unaffected", "version": "5.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-03-24T00:00:00.000Z", "value": "Issue reported publicly by github user X1AOxiang via https://github.com/libreswan/libreswan/issues/1665"}, {"lang": "en", "time": "2024-03-27T00:00:00.000Z", "value": "Fix published in commit 03caa63de1e3 (as issue was already public via githb issue)"}, {"lang": "en", "time": "2024-04-10T00:00:00.000Z", "value": "Advanced notice given to support customers and distributions"}, {"lang": "en", "time": "2024-04-12T00:00:00.000Z", "value": "CVE-2024-3652 published"}], "solutions": [{"lang": "en", "value": "This issue is fixed in 4.15 and all later versions."}], "datePublic": "2024-04-12T21:00:00.000Z", "references": [{"url": "https://libreswan.org/security/CVE-2024-3652", "name": "CVE-2024-3652", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/18/2"}], "workarounds": [{"lang": "en", "value": "As a workaround, adding an esp= line to all IKEv1 connections works around the issue. An example covering most common default configurations would be: esp=aes-sha2_512,aes-sha1,aes-sha2_256,aes-md5,3des-sha1,3des-md5. "}], "descriptions": [{"lang": "en", "value": "The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line. When the peer requests AES-GMAC, libreswan's default proposal handler causes an assertion failure and crashes and restarts. IKEv2 connections are not affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "IKEv1 with default AH/ESP configuration can cause libreswan to abort and restart"}]}], "configurations": [{"lang": "en", "value": "The vulnerability can only be triggered for connections with ikev2=no that do not specify an esp= option."}], "providerMetadata": {"orgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "shortName": "libreswan", "dateUpdated": "2024-04-11T01:32:13.433Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3652", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:19:59.933Z", "dateReserved": "2024-04-11T01:28:41.331Z", "assignerOrgId": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "datePublished": "2024-04-11T01:32:13.433Z", "assignerShortName": "libreswan"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line. When the peer requests AES-GMAC, libreswan's default proposal handler causes an assertion failure and crashes and restarts. IKEv2 connections are not affected."}, {"lang": "es", "value": "Se notific\u00f3 a Libreswan Project sobre un problema que provocaba que libreswan se reiniciara al usar IKEv1 sin especificar una l\u00ednea esp=. Cuando el par solicita AES-GMAC, el controlador de propuestas predeterminado de libreswan provoca un error de aserci\u00f3n, falla y se reinicia. Las conexiones IKEv2 no se ven afectadas."}], "id": "CVE-2024-3652", "lastModified": "2024-05-01T17:15:37.793", "metrics": {}, "published": "2024-04-11T02:15:47.790", "references": [{"source": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "url": "http://www.openwall.com/lists/oss-security/2024/04/18/2"}, {"source": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "url": "https://libreswan.org/security/CVE-2024-3652"}], "sourceIdentifier": "d42dc95b-23f1-4e06-9076-20753a0fb0df", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:4376", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "libreswan-0:4.12-2.el8_10.4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4417", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "libreswan-0:4.5-1.el8_6.3", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-07-09T00:00:00Z"}, {"advisory": "RHSA-2024:4417", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "libreswan-0:4.5-1.el8_6.3", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-07-09T00:00:00Z"}, {"advisory": "RHSA-2024:4417", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "libreswan-0:4.5-1.el8_6.3", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-07-09T00:00:00Z"}, {"advisory": "RHSA-2024:4200", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "libreswan-0:4.9-3.el8_8.2", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-07-01T00:00:00Z"}, {"advisory": "RHSA-2024:4050", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "libreswan-0:4.12-2.el9_4.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-06-23T00:00:00Z"}, {"advisory": "RHSA-2024:4377", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "libreswan-0:4.6-3.el9_0.2", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4431", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "libreswan-0:4.9-5.el9_2.2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-09T00:00:00Z"}], "bugzilla": {"description": "libreswan: IKEv1 default AH/ESP responder can crash and restart", "id": "2274448", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274448"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-617", "details": ["The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line. When the peer requests AES-GMAC, libreswan's default proposal handler causes an assertion failure and crashes and restarts. IKEv2 connections are not affected.", "A flaw was found in Libreswan, where it was identified to contain an assertion failure issue in the compute_proto_keymat() function. The vulnerability can be exploited when an IKEv1 connection is loaded with an AH/ESP default setting when no esp= line is present in the connection. This flaw allows an authenticated attacker to send the bogus AES-GMAC proposal request, triggering the issue and causing Libreswan to crash and restart. When this connection is automatically added on startup using the auto= keyword, it can cause repeated crashes, leading to a denial of service. No remote code execution is possible."], "mitigation": {"lang": "en:us", "value": "An esp= line using a common IKEv1 algorithm list can be added to all IKEv1 based connections. An example of such an esp= line could be:\n~~~\nesp=aes-sha2_512,aes-sha1,aes-sha2_256,aes-md5,3des-sha1,3des-md5\n~~~"}, "name": "CVE-2024-3652", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "libreswan", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "libreswan", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2024-04-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-3652\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-3652\nhttps://libreswan.org/security/CVE-2024-3652"], "statement": "The CVE-2024-3652 vulnerability in Libreswan is classified as a moderate severity issue due to its limited scope and impact. While the vulnerability can lead to Denial of Service (DoS) by causing the Libreswan service to crash and restart, it does not allow for Remote Code Execution or expose sensitive data. Additionally, the exploitation of this vulnerability requires specific conditions to be met: an IKEv1 connection loaded without an esp= line and the peer to have authenticated itself. Furthermore, IKEv2 connections are not vulnerable to this issue.", "threat_severity": "Moderate", "upstream_fix": "libreswan 4.15, libreswan 5.0"}