CVE-2023-23009

Name of the Vulnerable Software and Affected Versions Libreswan version 4.9

Description The issue allows remote attackers to cause a denial of service, resulting in an assert failure and daemon restart, via a crafted TS payload with an incorrect selector length. This is due to a missing check in the Traffic Selector parsing code that would reject malformed Traffic Selector payloads, leading to a double free and crash of the pluto daemon. It is noted that there is no remote code execution.

Recommendations For Libreswan version 4.9, consider updating to a version that includes the fix for this issue, as the current version is affected by the denial of service vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.