mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-07-29 05:56:59 +00:00
106 lines
4.0 KiB
JSON
106 lines
4.0 KiB
JSON
{
|
|
"data_version": "4.0",
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"CVE_data_meta": {
|
|
"ID": "CVE-2024-3652",
|
|
"ASSIGNER": "security@libreswan.org",
|
|
"STATE": "PUBLIC"
|
|
},
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line. When the peer requests AES-GMAC, libreswan's default proposal handler causes an assertion failure and crashes and restarts. IKEv2 connections are not affected."
|
|
}
|
|
]
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "IKEv1 with default AH/ESP configuration can cause libreswan to abort and restart"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "The Libreswan Project (www.libreswan.org)",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "libreswan",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_value": "not down converted",
|
|
"x_cve_json_5_version_data": {
|
|
"versions": [
|
|
{
|
|
"version": "3.22",
|
|
"status": "affected",
|
|
"lessThanOrEqual": "4.14",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "5.0",
|
|
"status": "unaffected"
|
|
}
|
|
],
|
|
"defaultStatus": "unaffected"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"url": "https://libreswan.org/security/CVE-2024-3652",
|
|
"refsource": "MISC",
|
|
"name": "https://libreswan.org/security/CVE-2024-3652"
|
|
},
|
|
{
|
|
"url": "http://www.openwall.com/lists/oss-security/2024/04/18/2",
|
|
"refsource": "MISC",
|
|
"name": "http://www.openwall.com/lists/oss-security/2024/04/18/2"
|
|
}
|
|
]
|
|
},
|
|
"configuration": [
|
|
{
|
|
"lang": "en",
|
|
"value": "The vulnerability can only be triggered for connections with ikev2=no that do not specify an esp= option."
|
|
}
|
|
],
|
|
"work_around": [
|
|
{
|
|
"lang": "en",
|
|
"value": "As a workaround, adding an esp= line to all IKEv1 connections works around the issue. An example covering most common default configurations would be: esp=aes-sha2_512,aes-sha1,aes-sha2_256,aes-md5,3des-sha1,3des-md5. "
|
|
}
|
|
],
|
|
"solution": [
|
|
{
|
|
"lang": "en",
|
|
"value": "This issue is fixed in 4.15 and all later versions."
|
|
}
|
|
],
|
|
"credits": [
|
|
{
|
|
"lang": "en",
|
|
"value": "github user X1AOxiang"
|
|
}
|
|
]
|
|
} |