Описание
The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service.
A flaw was found in Libreswan. This issue causes Libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret), and the connection cannot find a matching configured secret. When automatically added on startup using the auto= keyword, it can cause repeated crashes, leading to a denial of service.
Отчет
Libreswan may restart repeatedly under certain IKEv2 retransmission scenarios when using PreSharedKeys (authby=secret) if the connection cannot find a matching configured secret. If such a connection is added automatically on startup using the auto= keyword, it can lead to repeated crashes, causing a denial of service. The vulnerability arises when IKEv2 fails to find its PreSharedKey for the AUTH payload in the IKE_AUTH Exchange, resulting in assertion failure and daemon crashes. This vulnerability is triggered by local misconfiguration, and there is no known exploitation by external peers. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Red Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.
Меры по смягчению последствий
As a workaround to prevent the misconfiguration from causing the crash, place an unguessable long random "catch-all" secret in /etc/ipsec.secrets, for example, using the following command: echo -e "# CVE-2024-2357 workaround\n: PSK "$(openssl rand -hex 32)"" >> /etc/ipsec.secrets This will ensure a PSK secret is always found, but it will always be wrong, and thus authentication will still properly fail.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | libreswan | Out of support scope | ||
| Red Hat Enterprise Linux 7 | libreswan | Out of support scope | ||
| Red Hat Enterprise Linux 8 | libreswan | Fixed | RHSA-2024:1998 | 23.04.2024 |
| Red Hat Enterprise Linux 8.6 Extended Update Support | libreswan | Fixed | RHSA-2024:2082 | 30.04.2024 |
| Red Hat Enterprise Linux 8.8 Extended Update Support | libreswan | Fixed | RHSA-2024:2081 | 30.04.2024 |
| Red Hat Enterprise Linux 9 | libreswan | Fixed | RHSA-2024:2033 | 24.04.2024 |
| Red Hat Enterprise Linux 9 | libreswan | Fixed | RHSA-2024:2565 | 30.04.2024 |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | libreswan | Fixed | RHSA-2024:10594 | 02.12.2024 |
| Red Hat Enterprise Linux 9.2 Extended Update Support | libreswan | Fixed | RHSA-2024:2085 | 30.04.2024 |
| Red Hat OpenShift Container Platform 4.15 | libreswan | Fixed | RHBA-2024:11565 | 02.01.2025 |
Показывать по
Дополнительная информация
Статус:
5 Medium
CVSS3
Связанные уязвимости
The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service.
The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service.
The Libreswan Project was notified of an issue causing libreswan to re ...
5 Medium
CVSS3