Paul Wouters

**Name of the Vulnerable Software and Affected Versions** libreswan versions prior to 4.14 **Description** The issue causes libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. This can lead to repeated crashes and a Denial of Service, especially when such a connection is automatically added on startup using the auto= keyword. The vulnerability is related to the use of PreSharedKeys for creating the AUTH payload in IKE AUTH Exchange, allowing a remote attacker to perform a Denial of Service attack. **Recommendations** For versions prior to 4.14, upgrade to version 4.14 to resolve the issue. As a temporary workaround, consider disabling the use of PreSharedKeys (authby=secret) for connections that cannot find a matching configured secret, or avoid automatically adding such connections on startup using the auto= keyword. Restrict access to the `authby=secret` configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Libreswan version 4.9 **Description** The issue allows remote attackers to cause a denial of service, resulting in an assert failure and daemon restart, via a crafted TS payload with an incorrect selector length. This is due to a missing check in the Traffic Selector parsing code that would reject malformed Traffic Selector payloads, leading to a double free and crash of the pluto daemon. It is noted that there is no remote code execution. **Recommendations** For Libreswan version 4.9, consider updating to a version that includes the fix for this issue, as the current version is affected by the denial of service vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Unbound versions 1.6.4 through 1.9.4 **Description** The issue is related to the lack of input data sanitization in the ipsec module of the Unbound DNS server, allowing a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. This can be triggered by a specially crafted IPSECKEY answer, but only if Unbound was compiled with `--enable-ipsecmod` support and ipsecmod is enabled and used in the configuration. **Recommendations** For Unbound versions 1.6.4 through 1.9.4, update to version 1.9.5 or later to resolve the issue. As a temporary workaround, consider disabling the ipsec module (`--enable-ipsecmod`) until a patch is available. Restrict access to the ipsec module to minimize the risk of exploitation. Avoid using the ipsec module in the configuration until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** libreswan versions prior to 3.15 Openswan versions prior to 2.6.45 **Description** The issue allows remote attackers to cause a denial of service, resulting in an assertion failure and daemon restart. This occurs when a zero DH g^x value is present in a KE payload within an IKE packet. The affected software must be built with NSS for this issue to be exploitable. **Recommendations** For libreswan versions prior to 3.15, update to version 3.15 or later. For Openswan versions prior to 2.6.45, update to version 2.6.45 or later.

**Name of the Vulnerable Software and Affected Versions** Openswan version 2.6.40 **Description** The issue allows remote attackers to cause a denial of service, resulting in a NULL pointer dereference and IKE daemon restart, via IKEv2 packets that lack expected payloads. This problem exists due to an incomplete fix for a previous issue. **Recommendations** For Openswan version 2.6.40, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Libreswan version 3.6 **Description** The issue allows remote attackers to cause a denial of service, resulting in a crash, by sending a specially crafted IKE packet with a small length value and either no version or an invalid major number. **Recommendations** For Libreswan version 3.6, update to a version that includes a fix for this issue to prevent denial of service attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Red Hat Network (RHN) Configuration Client (rhncfg-client) versions prior to 5.10.27-8 **Description** The issue allows local users to obtain sensitive information about the rhncfg-client actions by reading the /var/log/rhncfg-actions file due to weak permissions. **Recommendations** For versions prior to 5.10.27-8, update to version 5.10.27-8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** openswan versions prior to 2.6.39 openswan-doc (affected versions not specified) **Description** The issue affects the confidentiality, integrity, and availability of protected information. It can be exploited remotely. **Recommendations** For openswan versions prior to 2.6.39, update to version 2.6.39 or later. For openswan-doc, at the moment, there is no information about a newer version that contains a fix for this vulnerability.