CVE-2024-3652

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:L/Au:S/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Libreswan versions prior to 4.15

Description The issue is related to the Libreswan library, which is used for VPN protocols with "IPsec". It is caused by an assertion failure when handling IKEv1 packets without specifying an esp= line. When a peer requests AES-GMAC, libreswan's default proposal handler causes the failure, leading to a crash and restart. This issue does not affect IKEv2 connections. The vulnerability can be exploited by a remote attacker to cause a denial of service.

Recommendations For Libreswan versions prior to 4.15, update to version 4.15 or later to resolve the issue. As a temporary workaround, consider disabling the use of IKEv1 without specifying an esp= line until a patch is available. Restrict access to the default proposal handler to minimize the risk of exploitation. Avoid using AES-GMAC with IKEv1 until the issue is resolved.

Fix

Improper Resource Release

Assertion Failure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-404CWE-617

Related Identifiers

ALSA-2024:4050

ALSA-2024:4376

AZL-39919

AZL-39927

BDU:2024-04885

CESA-2024_4376

CVE-2024-3652

INFSA-2024_4050

INFSA-2024_4376

MGASA-2024-0138

OESA-2024-1565

RHSA-2024:4050

RHSA-2024:4200

RHSA-2024:4376

RHSA-2024:4377

RHSA-2024:4417

RHSA-2024:4431

RHSA-2024_4050

RHSA-2024_4376

RLSA-2024:4050

Affected Products

Almalinux

Centos

Debian

Libreswan

Red Hat

Red Os

Rocky Linux

CVE-2024-3652

Weakness Enumeration

Related Identifiers

Affected Products

References · 42