strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.
The attacker sends a crafted IKE_SA_INIT message containing a DH (Diffie-Hellman) public value whose size exceeds the capacity of the internal buffer in the DH proxy module of the charon-tkm component. The lack of proper input size validation (CWE-120 — buffer overflow) causes buffer overflow. Since the attack occurs at the IKE session establishment stage, before any authentication, the exploit is possible for an anonymous network attacker.
Successful exploitation of the vulnerability may allow an attacker to remotely execute arbitrary code (RCE) on the vulnerable system without authentication, potentially resulting in complete device takeover and violation of data confidentiality, integrity, and availability.
strongSwan should be updated to version 5.9.12 or newer. Patch packages are also available for Fedora and Debian distributions (including Debian LTS). Details are available on the official strongSwan blog and in release repositories on GitHub.
strongSwan in versions 5.3.0 to 5.9.11 (inclusive), only configurations using the charon-tkm component (TKM — Trusted Key Manager) with DH proxy enabled.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HStrongswan
APPStrongswan5.3.0 – 5.9.12 (bez)
Related vulnerabilities
strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" ...
In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually a...
strongSwan 5.2.2 and 5.3.0 allows remote attackers to cause a denial of service (daemon crash) or execute arbi...
strongSwan versions 5.9.2 through 5.9.5 are affected by authorization bypass through improper validation of ce...
strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sendi...