mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-05-28 17:21:57 +00:00
122 lines
5.5 KiB
JSON
122 lines
5.5 KiB
JSON
{
|
|
"data_version": "4.0",
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"CVE_data_meta": {
|
|
"ID": "CVE-2024-2357",
|
|
"ASSIGNER": "security@libreswan.org",
|
|
"STATE": "PUBLIC"
|
|
},
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service."
|
|
}
|
|
]
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "IKEv2 misconfiguration can cause libreswan to abort and restart"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "The Libreswan Project (www.libreswan.org)",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "libreswan",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_value": "not down converted",
|
|
"x_cve_json_5_version_data": {
|
|
"versions": [
|
|
{
|
|
"version": "3.0",
|
|
"status": "unaffected",
|
|
"lessThanOrEqual": "4.1",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "4.2",
|
|
"status": "affected",
|
|
"lessThanOrEqual": "4.12",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "5.0",
|
|
"status": "unaffected"
|
|
}
|
|
],
|
|
"defaultStatus": "unaffected"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"url": "https://libreswan.org/security/CVE-2024-2357",
|
|
"refsource": "MISC",
|
|
"name": "https://libreswan.org/security/CVE-2024-2357"
|
|
},
|
|
{
|
|
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJZJYFHKBIJ4ZK5GAWWFFR3AKJS6O5JX/",
|
|
"refsource": "MISC",
|
|
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJZJYFHKBIJ4ZK5GAWWFFR3AKJS6O5JX/"
|
|
},
|
|
{
|
|
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEM46ALKF7NG6CAUKZ7KQERVOHWQIQKY/",
|
|
"refsource": "MISC",
|
|
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEM46ALKF7NG6CAUKZ7KQERVOHWQIQKY/"
|
|
},
|
|
{
|
|
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TVQ7MZY6LFFGRWAJNTKKN2VSEFS2VPAR/",
|
|
"refsource": "MISC",
|
|
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TVQ7MZY6LFFGRWAJNTKKN2VSEFS2VPAR/"
|
|
}
|
|
]
|
|
},
|
|
"configuration": [
|
|
{
|
|
"lang": "en",
|
|
"value": "The vulnerability can only be triggered for connections with ikev2=yes and authby=secret"
|
|
}
|
|
],
|
|
"work_around": [
|
|
{
|
|
"lang": "en",
|
|
"value": "As a workaround, one can place an unguessable long random default secret in /etc/ipsec.secrets, for example using the following command:\n\n echo -e \"# CVE-2024-2357 workaround\n: PSK \"$(openssl rand -hex 32)\"\" >> /etc/ipsec.secrets\n\nThis will ensure a PSK secret is always found, but it will always be wrong, and thus authentication will still properly fail."
|
|
}
|
|
],
|
|
"solution": [
|
|
{
|
|
"lang": "en",
|
|
"value": "This issue is fixed in 4.13, 5.0 and all later versions."
|
|
}
|
|
],
|
|
"credits": [
|
|
{
|
|
"lang": "en",
|
|
"value": "Andrew Vaughn"
|
|
}
|
|
]
|
|
} |