{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-2357","assignerOrgId":"d42dc95b-23f1-4e06-9076-20753a0fb0df","state":"PUBLISHED","assignerShortName":"libreswan","dateReserved":"2024-03-09T22:24:12.530Z","datePublished":"2024-03-11T19:39:03.280Z","dateUpdated":"2025-02-13T17:39:47.355Z"},"containers":{"cna":{"providerMetadata":{"orgId":"d42dc95b-23f1-4e06-9076-20753a0fb0df","shortName":"libreswan","dateUpdated":"2024-03-23T02:06:57.682Z"},"title":"IKEv2 misconfiguration can cause libreswan to abort and restart","datePublic":"2024-03-11T14:00:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","description":"IKEv2 misconfiguration can cause libreswan to abort and restart"}]}],"affected":[{"vendor":"The Libreswan Project (www.libreswan.org)","product":"libreswan","versions":[{"version":"3.0","status":"unaffected","lessThanOrEqual":"4.1","versionType":"semver"},{"version":"4.2","status":"affected","lessThanOrEqual":"4.12","versionType":"semver"},{"version":"5.0","status":"unaffected"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service."}],"solutions":[{"lang":"en","value":"This issue is fixed in 4.13, 5.0 and all later versions."}],"workarounds":[{"lang":"en","value":"As a workaround, one can place an unguessable long random default secret in /etc/ipsec.secrets, for example using the following command:\n\n echo -e \"# CVE-2024-2357 workaround\n: PSK \"$(openssl rand -hex 32)\"\" >> /etc/ipsec.secrets\n\nThis will ensure a PSK secret is always found, but it will always be wrong, and thus authentication will still properly fail."}],"configurations":[{"lang":"en","value":"The vulnerability can only be triggered for connections with ikev2=yes and authby=secret"}],"timeline":[{"time":"2024-02-08T00:00:00.000Z","lang":"en","value":"Issue reported publicly via https://github.com/libreswan/libreswan/issues/1609"},{"time":"2024-02-14T00:00:00.000Z","lang":"en","value":"Workaround posted in the github issue"},{"time":"2024-02-15T00:00:00.000Z","lang":"en","value":"Fix published (as issue was already public via githb issue)"},{"time":"2024-03-09T00:00:00.000Z","lang":"en","value":"Advanced notice given to support customers and distributions"},{"time":"2024-03-11T00:00:00.000Z","lang":"en","value":"CVE-2024-2357 published"}],"credits":[{"lang":"en","value":"Andrew Vaughn","type":"finder"}],"references":[{"url":"https://libreswan.org/security/CVE-2024-2357","name":"CVE-2024-2357","tags":["vendor-advisory"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJZJYFHKBIJ4ZK5GAWWFFR3AKJS6O5JX/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEM46ALKF7NG6CAUKZ7KQERVOHWQIQKY/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TVQ7MZY6LFFGRWAJNTKKN2VSEFS2VPAR/"}]},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-noinfo Not enough information"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":6.5,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-03-12T16:21:48.798359Z","id":"CVE-2024-2357","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-11-20T17:25:31.624Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-01T19:11:53.507Z"},"title":"CVE Program Container","references":[{"url":"https://libreswan.org/security/CVE-2024-2357","name":"CVE-2024-2357","tags":["vendor-advisory","x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJZJYFHKBIJ4ZK5GAWWFFR3AKJS6O5JX/","tags":["x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEM46ALKF7NG6CAUKZ7KQERVOHWQIQKY/","tags":["x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TVQ7MZY6LFFGRWAJNTKKN2VSEFS2VPAR/","tags":["x_transferred"]}]}]}}