Vulnerability in Popular VPN Software Could Lead to Crashes and Service Disruptions
A newly discovered vulnerability in Libreswan, a widely used open-source VPN (Virtual Private Network) software, could leave systems open to crashes and potential denial of service attacks, say researchers. The vulnerability poses a risk to organizations that rely on Libreswan to secure their connections.
What is Libreswan?
Libreswan is a popular implementation of the Internet Key Exchange (IKE) protocol, a core component used in establishing secure encrypted connections for VPNs. It’s found across a variety of operating systems, including Linux, FreeBSD, NetBSD, and OpenBSD.
The Vulnerability (CVE-2024-3652)
The vulnerability lies in Libreswan’s handling of IKEv1 connections when certain default settings are in place. It emerges under specific conditions when Libreswan operates as an IKEv1 responder with the default AH/ESP configuration and lacks an explicit esp= line in the connection settings. The vulnerability is triggered during a Quick Mode exchange post successful IKEv1 authentication (via Main Mode or Aggressive Mode). A malformed AES-GMAC proposal can cause the service to crash and restart, leading to a potential Denial of Service (DoS) situation if exploited.
The core of the issue lies in the compute_proto_keymat() function, which fails to handle unexpected proposals where the keymat size is zero, such as those only possible with NULL encryption. This function, upon encountering such proposals, triggers an assertion failure, crashing the Libreswan process. The exploit requires an authenticated IKEv1 connection, making it somewhat complex to execute but still a significant risk for affected systems.
Who is at Risk?
Organizations and individuals using the following versions of Libreswan are vulnerable to this flaw:
- Libreswan versions 3.22 to 4.14
Mitigation and Fixes
The Libreswan project has released patches for the affected software versions. Users are strongly advised to upgrade to one of the following versions as soon as possible:
- Libreswan 4.15 or later
- Libreswan 5.0 or later
If upgrading is not immediately possible, a workaround is available that involves modifying connection configurations within Libreswan.
Additional Information
For more detailed technical information about the vulnerability (CVE-2024-3652) and the workaround, please refer to the original security advisory from the Libreswan Project.
