MidnightBSD

Advisories for strongswan

CVE-2004-0590 HIGH

FreeS/WAN 1.x and 2.x, and other related products including superfreeswan 1.x, openswan 1.x before 1.0.6, openswan 2.x before 2.1.4, and strongSwan before 2.1.3, allows remote attackers to authenticate using spoofed PKCS#7 certificates in which a self-signed certificate identifies an alternate Certificate Authority (CA) and spoofed issuer and subject.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
frees_wan super_frees_wan 1
strongswan strongswan *
frees_wan frees_wan 1
frees_wan frees_wan 2
openswan openswan 1
openswan openswan 2
CVE-2010-2628 HIGH

The IKE daemon in strongSwan 4.3.x before 4.3.7 and 4.4.x before 4.4.1 does not properly check the return values of snprintf calls, which allows remote attackers to execute arbitrary code via crafted (1) certificate or (2) identity data that triggers buffer overflows.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
strongswan strongswan 4.3.0
strongswan strongswan 4.3.4
strongswan strongswan 4.3.1
strongswan strongswan 4.3.6
strongswan strongswan 4.3.5
strongswan strongswan 4.3.2
strongswan strongswan 4.4.0
strongswan strongswan 4.3.3
CVE-2012-2388 HIGH

The GMP Plugin in strongSwan 4.2.0 through 4.6.3 allows remote attackers to bypass authentication via a (1) empty or (2) zeroed RSA signature, aka "RSA signature verification vulnerability."

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
strongswan strongswan 4.2.12
strongswan strongswan 4.3.0
strongswan strongswan 4.3.4
strongswan strongswan 4.5.2
strongswan strongswan 4.2.0
strongswan strongswan 4.6.2
strongswan strongswan 4.3.5
strongswan strongswan 4.2.11
strongswan strongswan 4.2.1
strongswan strongswan 4.2.7
strongswan strongswan 4.3.1
strongswan strongswan 4.5.3
strongswan strongswan 4.2.9
strongswan strongswan 4.2.15
strongswan strongswan 4.2.10
strongswan strongswan 4.2.13
strongswan strongswan 4.5.1
strongswan strongswan 4.2.6
strongswan strongswan 4.4.1
strongswan strongswan 4.2.3
strongswan strongswan 4.2.5
strongswan strongswan 4.2.2
strongswan strongswan 4.5.0
strongswan strongswan 4.2.14
strongswan strongswan 4.6.0
strongswan strongswan 4.2.8
strongswan strongswan 4.3.6
strongswan strongswan 4.2.4
strongswan strongswan 4.2.16
strongswan strongswan 4.3.2
strongswan strongswan 4.6.3
strongswan strongswan 4.4.0
strongswan strongswan 4.6.1
strongswan strongswan 4.3.3
CVE-2013-2054 MEDIUM

Buffer overflow in the atodn function in strongSwan 2.0.0 through 4.3.4, when Opportunistic Encryption is enabled and an RSA key is being used, allows remote attackers to cause a denial of service (pluto IKE daemon crash) and possibly execute arbitrary code via crafted DNS TXT records. NOTE: this might be the same vulnerability as CVE-2013-2053 and CVE-2013-2054.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
strongswan strongswan 2.6.21
strongswan strongswan 2.8.3
strongswan strongswan 2.4.4
strongswan strongswan 2.1.1
strongswan strongswan 4.0.5
strongswan strongswan 2.5.7
strongswan strongswan 2.5.4
strongswan strongswan 2.5.0
strongswan strongswan 2.7.0
strongswan strongswan 4.1.6
strongswan strongswan 2.1.0
strongswan strongswan 4.0.0
strongswan strongswan 2.8.0
strongswan strongswan 4.2.3
strongswan strongswan 4.1.0
strongswan strongswan 4.2.2
strongswan strongswan 2.8.5
strongswan strongswan 2.8.4
strongswan strongswan 4.2.4
strongswan strongswan 4.1.4
strongswan strongswan 2.5.3
strongswan strongswan 4.0.4
strongswan strongswan 4.2.12
strongswan strongswan 4.1.3
strongswan strongswan 4.1.11
strongswan strongswan 4.2.0
strongswan strongswan 2.6.3
strongswan strongswan 2.8.9
strongswan strongswan 4.1.10
strongswan strongswan 4.2.11
strongswan strongswan 2.6.2
strongswan strongswan 4.0.3
strongswan strongswan 4.2.7
strongswan strongswan 2.5.6
strongswan strongswan 4.1.7
strongswan strongswan 2.8.2
strongswan strongswan 2.4.1
strongswan strongswan 2.6.4
strongswan strongswan 2.8.1
strongswan strongswan 2.1.5
strongswan strongswan 2.7.3
strongswan strongswan 2.4.3
strongswan strongswan 2.1.3
strongswan strongswan 2.8.8
strongswan strongswan 4.2.8
strongswan strongswan 4.0.2
strongswan strongswan 2.5.5
strongswan strongswan 4.3.2
strongswan strongswan 4.1.1
strongswan strongswan 4.3.0
strongswan strongswan 4.3.4
strongswan strongswan 2.7.2
strongswan strongswan 2.6.0
strongswan strongswan 2.8.10
strongswan strongswan 4.2.1
strongswan strongswan 4.0.1
strongswan strongswan 4.2.9
strongswan strongswan 4.2.15
strongswan strongswan 2.1.2
strongswan strongswan 4.1.9
strongswan strongswan 2.4.2
strongswan strongswan 2.6.14
strongswan strongswan 4.2.13
strongswan strongswan 2.6.20
strongswan strongswan 4.1
strongswan strongswan 4.1.8
strongswan strongswan 2.0.0
strongswan strongswan 4.2.6
strongswan strongswan 4.2.5
strongswan strongswan 2.5.1
strongswan strongswan 2.3.0
strongswan strongswan 4.2.14
strongswan strongswan 2.3.2
strongswan strongswan 2.3.1
strongswan strongswan 4.1.5
strongswan strongswan 2.7.1
strongswan strongswan 4.0.6
strongswan strongswan 4.3.3
strongswan strongswan 2.0.2
strongswan strongswan 2.0.1
strongswan strongswan 2.6
strongswan strongswan 2.4
strongswan strongswan 2.8.7
strongswan strongswan 2.4.0
strongswan strongswan 2.8.11
strongswan strongswan 4.3.1
strongswan strongswan 2.6.1
strongswan strongswan 2.5.2
strongswan strongswan 4.2.10
strongswan strongswan 4.1.2
strongswan strongswan 2.4.0a
strongswan strongswan 2.8.6
strongswan strongswan 2.1.4
strongswan strongswan 2.6.16
strongswan strongswan 4.0.7
strongswan strongswan 4.2.16
CVE-2013-2944 MEDIUM

strongSwan 4.3.5 through 5.0.3, when using the OpenSSL plugin for ECDSA signature verification, allows remote attackers to authenticate as other users via an invalid signature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
strongswan strongswan 5.0.2
strongswan strongswan 4.5.2
strongswan strongswan 4.6.2
strongswan strongswan 4.3.5
strongswan strongswan 4.4.1
strongswan strongswan 5.0.1
strongswan strongswan 5.0.0
strongswan strongswan 4.5.0
strongswan strongswan 4.6.0
strongswan strongswan 4.3.6
strongswan strongswan 4.5.3
strongswan strongswan 4.6.4
strongswan strongswan 4.3.7
strongswan strongswan 4.6.3
strongswan strongswan 4.4.0
strongswan strongswan 4.6.1
strongswan strongswan 4.5.1
CVE-2013-5018 MEDIUM

The is_asn1 function in strongSwan 4.1.11 through 5.0.4 does not properly validate the return value of the asn1_length function, which allows remote attackers to cause a denial of service (segmentation fault) via a (1) XAuth username, (2) EAP identity, or (3) PEM encoded file that starts with a 0x04, 0x30, or 0x31 character followed by an ASN.1 length value that triggers an integer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
strongswan strongswan 5.0.2
strongswan strongswan 5.0.3
strongswan strongswan 4.1.11
strongswan strongswan 5.0.4
opensuse opensuse 11.4
strongswan strongswan 5.0.1
opensuse opensuse 12.3
opensuse opensuse 12.2
strongswan strongswan 5.0.0
CVE-2013-6075 MEDIUM

The compare_dn function in utils/identification.c in strongSwan 4.3.3 through 5.1.1 allows (1) remote attackers to cause a denial of service (out-of-bounds read, NULL pointer dereference, and daemon crash) or (2) remote authenticated users to impersonate arbitrary users and bypass access restrictions via a crafted ID_DER_ASN1_DN ID, related to an "insufficient length check" during identity comparison.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
strongswan strongswan 5.0.2
strongswan strongswan 5.0.3
strongswan strongswan 4.3.4
strongswan strongswan 4.5.2
strongswan strongswan 4.6.2
strongswan strongswan 4.3.5
strongswan strongswan 4.4.1
strongswan strongswan 5.0.1
strongswan strongswan 5.0.0
strongswan strongswan 4.5.0
strongswan strongswan 4.6.0
strongswan strongswan 4.3.6
strongswan strongswan 4.5.3
strongswan strongswan 4.6.4
strongswan strongswan 5.0.4
strongswan strongswan 4.3.7
strongswan strongswan 4.6.3
strongswan strongswan 5.1.0
strongswan strongswan 4.4.0
strongswan strongswan 4.6.1
strongswan strongswan 4.3.3
strongswan strongswan 4.5.1
CVE-2013-6076 MEDIUM

strongSwan 5.0.2 through 5.1.0 allows remote attackers to cause a denial of service (NULL pointer dereference and charon daemon crash) via a crafted IKEv1 fragmentation packet.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
strongswan strongswan 5.0.2
strongswan strongswan 5.0.3
strongswan strongswan 5.0.4
strongswan strongswan 5.1.0
CVE-2014-2338 MEDIUM

IKEv2 in strongSwan 4.0.7 before 5.1.3 allows remote attackers to bypass authentication by rekeying an IKE_SA during (1) initiation or (2) re-authentication, which triggers the IKE_SA state to be set to established.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
strongswan strongswan 4.3.0
strongswan strongswan 4.3.4
strongswan strongswan 4.5.2
strongswan strongswan 4.6.2
strongswan strongswan 4.2.1
strongswan strongswan 5.1.1
strongswan strongswan 4.2.9
strongswan strongswan 4.2.15
strongswan strongswan 4.1.9
strongswan strongswan 4.2.13
strongswan strongswan 5.0.2
strongswan strongswan 4.1.6
strongswan strongswan 4.1.8
strongswan strongswan 4.2.6
strongswan strongswan 4.4.1
strongswan strongswan 4.2.3
strongswan strongswan 4.2.5
strongswan strongswan 4.1.0
strongswan strongswan 4.2.2
strongswan strongswan 5.0.0
strongswan strongswan 4.2.14
strongswan strongswan 4.2.4
strongswan strongswan 5.1.2
strongswan strongswan 4.1.4
strongswan strongswan 4.1.5
strongswan strongswan 5.1.0
strongswan strongswan 4.4.0
strongswan strongswan 4.3.3
strongswan strongswan 4.2.12
strongswan strongswan 4.1.3
strongswan strongswan 4.1.11
strongswan strongswan 4.2.0
strongswan strongswan 4.3.5
strongswan strongswan 4.1.10
strongswan strongswan 4.2.11
strongswan strongswan 4.2.7
strongswan strongswan 4.3.1
strongswan strongswan 4.5.3
strongswan strongswan 4.1.7
strongswan strongswan 4.2.10
strongswan strongswan 4.3.7
strongswan strongswan 4.5.1
strongswan strongswan 5.0.3
strongswan strongswan 4.1.2
strongswan strongswan 5.0.1
strongswan strongswan 4.5.0
strongswan strongswan 4.6.0
strongswan strongswan 4.0.7
strongswan strongswan 4.2.8
strongswan strongswan 4.3.6
strongswan strongswan 4.2.16
strongswan strongswan 4.6.4
strongswan strongswan 4.3.2
strongswan strongswan 5.0.4
strongswan strongswan 4.1.1
strongswan strongswan 4.6.3
strongswan strongswan 4.6.1
CVE-2014-2891 MEDIUM

strongSwan before 5.1.2 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon crash) via a crafted ID_DER_ASN1_DN ID payload.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
strongswan strongswan 5.0.2
strongswan strongswan 5.0.3
strongswan strongswan *
debian strongswan *
strongswan strongswan 5.0.4
strongswan strongswan 5.0.1
strongswan strongswan 5.1.0
strongswan strongswan 5.0.0
CVE-2014-9221 MEDIUM

strongSwan 4.5.x through 5.2.x before 5.2.1 allows remote attackers to cause a denial of service (invalid pointer dereference) via a crafted IKEv2 Key Exchange (KE) message with Diffie-Hellman (DH) group 1025.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-19,

Products Affected

Vendor Product Version
strongswan strongswan 4.5.2
strongswan strongswan 4.6.2
debian debian_linux 7.0
strongswan strongswan 5.1.1
strongswan strongswan 4.5.3
opensuse opensuse 13.1
strongswan strongswan 4.5.1
strongswan strongswan 5.0.2
strongswan strongswan 5.0.3
canonical ubuntu_linux 14.04
strongswan strongswan 5.1.3
canonical ubuntu_linux 14.10
fedoraproject fedora 21
strongswan strongswan 5.0.1
strongswan strongswan 5.0.0
strongswan strongswan 4.5.0
strongswan strongswan 4.6.0
strongswan strongswan 5.2.0
strongswan strongswan 4.6.4
strongswan strongswan 5.1.2
strongswan strongswan 5.0.4
strongswan strongswan 4.6.3
strongswan strongswan 5.1.0
strongswan strongswan 4.6.1
opensuse opensuse 13.2
CVE-2015-3991 HIGH

strongSwan 5.2.2 and 5.3.0 allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-19,

Products Affected

Vendor Product Version
strongswan strongswan 5.2.2
strongswan strongswan 5.3.0
CVE-2015-4171 LOW

strongSwan 4.3.0 through 5.x before 5.3.2 and strongSwan VPN Client before 1.4.6, when using EAP or pre-shared keys for authenticating an IKEv2 connection, does not enforce server authentication restrictions until the entire authentication process is complete, which allows remote servers to obtain credentials by using a valid certificate and then reading the responses.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
strongswan strongswan 4.3.0
strongswan strongswan 5.2.2
strongswan strongswan 4.3.4
strongswan strongswan 4.5.2
strongswan strongswan_vpn_client *
strongswan strongswan 4.6.2
strongswan strongswan 4.3.5
strongswan strongswan 5.1.1
strongswan strongswan 4.3.1
strongswan strongswan 4.5.3
strongswan strongswan 5.2.1
strongswan strongswan 4.3.7
strongswan strongswan 4.5.1
strongswan strongswan 5.0.2
strongswan strongswan 5.0.3
strongswan strongswan 5.2.3
canonical ubuntu_linux 15.04
strongswan strongswan 5.3.0
canonical ubuntu_linux 14.04
strongswan strongswan 5.1.3
canonical ubuntu_linux 14.10
strongswan strongswan 4.4.1
strongswan strongswan 5.0.1
strongswan strongswan 5.0.0
strongswan strongswan 4.5.0
strongswan strongswan 5.3.1
strongswan strongswan 4.6.0
strongswan strongswan 4.3.6
strongswan strongswan 5.2.0
strongswan strongswan 4.6.4
strongswan strongswan 5.1.2
debian debian_linux 8.0
strongswan strongswan 4.3.2
strongswan strongswan 5.0.4
strongswan strongswan 4.6.3
strongswan strongswan 5.1.0
strongswan strongswan 4.4.0
strongswan strongswan 4.6.1
strongswan strongswan 4.3.3
CVE-2015-8023 MEDIUM

The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin in strongSwan 4.2.12 through 5.x before 5.3.4 does not properly validate local state, which allows remote attackers to bypass authentication via an empty Success message in response to an initial Challenge message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-264,

Products Affected

Vendor Product Version
strongswan strongswan 4.2.12
strongswan strongswan 4.3.0
strongswan strongswan 5.2.2
strongswan strongswan 4.3.4
strongswan strongswan 5.3.2
strongswan strongswan 4.5.2
strongswan strongswan 4.6.2
strongswan strongswan 4.3.5
strongswan strongswan 5.1.1
strongswan strongswan 4.3.1
strongswan strongswan 4.5.3
strongswan strongswan 5.2.1
strongswan strongswan 4.2.15
strongswan strongswan 4.3.7
strongswan strongswan 4.2.13
strongswan strongswan 4.5.1
strongswan strongswan 5.0.2
strongswan strongswan 5.0.3
strongswan strongswan 5.2.3
canonical ubuntu_linux 15.04
strongswan strongswan 5.3.0
canonical ubuntu_linux 14.04
strongswan strongswan 5.1.3
strongswan strongswan 4.4.1
strongswan strongswan 5.0.1
strongswan strongswan 5.0.0
strongswan strongswan 4.5.0
strongswan strongswan 5.3.1
strongswan strongswan 4.2.14
strongswan strongswan 4.6.0
strongswan strongswan 4.3.6
strongswan strongswan 5.2.0
canonical ubuntu_linux 15.10
strongswan strongswan 4.2.16
strongswan strongswan 4.6.4
strongswan strongswan 5.1.2
strongswan strongswan 4.3.2
strongswan strongswan 5.0.4
strongswan strongswan 5.3.3
strongswan strongswan 4.6.3
strongswan strongswan 5.1.0
strongswan strongswan 4.4.0
strongswan strongswan 4.6.1
strongswan strongswan 4.3.3
CVE-2017-11185 MEDIUM

The gmp plugin in strongSwan before 5.6.0 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted RSA signature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
strongswan strongswan *
CVE-2017-9022 MEDIUM

The gmp plugin in strongSwan before 5.5.3 does not properly validate RSA public keys before calling mpz_powm_sec, which allows remote peers to cause a denial of service (floating point exception and process crash) via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.10
debian debian_linux 9.0
canonical ubuntu_linux 14.04
strongswan strongswan *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 17.04
debian debian_linux 8.0
CVE-2017-9023 MEDIUM

The ASN.1 parser in strongSwan before 5.5.3 improperly handles CHOICE types when the x509 plugin is enabled, which allows remote attackers to cause a denial of service (infinite loop) via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,NVD-CWE-noinfo,CWE-835,

Products Affected

Vendor Product Version
strongswan strongswan *
CVE-2018-10811 MEDIUM

strongSwan 5.6.0 and older allows Remote Denial of Service because of Missing Initialization of a Variable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-909,

Products Affected

Vendor Product Version
fedoraproject fedora 28
debian debian_linux 9.0
canonical ubuntu_linux 14.04
strongswan strongswan *
canonical ubuntu_linux 16.04
debian debian_linux 8.0
canonical ubuntu_linux 18.04
CVE-2018-16151 MEDIUM

In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data after the encoded algorithm OID during PKCS#1 v1.5 signature verification. Similar to the flaw in the same version of strongSwan regarding digestAlgorithm.parameters, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation when only an RSA signature is used for IKEv2 authentication.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-347,CWE-347,

Products Affected

Vendor Product Version
debian debian_linux 9.0
canonical ubuntu_linux 14.04
strongswan strongswan *
canonical ubuntu_linux 16.04
debian debian_linux 8.0
canonical ubuntu_linux 18.04
CVE-2018-16152 MEDIUM

In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data in the digestAlgorithm.parameters field during PKCS#1 v1.5 signature verification. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation when only an RSA signature is used for IKEv2 authentication. This is a variant of CVE-2006-4790 and CVE-2014-1568.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-347,CWE-347,

Products Affected

Vendor Product Version
debian debian_linux 9.0
canonical ubuntu_linux 14.04
strongswan strongswan *
canonical ubuntu_linux 16.04
debian debian_linux 8.0
canonical ubuntu_linux 18.04
CVE-2018-17540 MEDIUM

The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
debian debian_linux 9.0
canonical ubuntu_linux 14.04
strongswan strongswan *
canonical ubuntu_linux 16.04
debian debian_linux 8.0
canonical ubuntu_linux 18.04
CVE-2018-5388 MEDIUM

In stroke_socket.c in strongSwan before 5.6.3, a missing packet length check could allow a buffer underflow, which may lead to resource exhaustion and denial of service while reading from the socket.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-124,CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 9.0
canonical ubuntu_linux 14.04
strongswan strongswan *
canonical ubuntu_linux 16.04
debian debian_linux 8.0
canonical ubuntu_linux 18.04
CVE-2018-6459 MEDIUM

The rsa_pss_params_parse function in libstrongswan/credentials/keys/signature_params.c in strongSwan 5.6.1 allows remote attackers to cause a denial of service via a crafted RSASSA-PSS signature that lacks a mask generation function parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-347,

Products Affected

Vendor Product Version
strongswan strongswan 5.6.1
CVE-2019-10155 LOW

The Libreswan Project has found a vulnerability in the processing of IKEv1 informational exchange packets which are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value was not verified. This issue affects versions before 3.29.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L 1.6 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-354,CWE-354,

Products Affected

Vendor Product Version
strongswan strongswan *
fedoraproject fedora 29
xelerance openswan *
fedoraproject fedora 30
libreswan libreswan *
redhat enterprise_linux 8.0
CVE-2021-41990 MEDIUM

The gmp plugin in strongSwan before 5.9.4 has a remote integer overflow via a crafted certificate with an RSASSA-PSS signature. For example, this can be triggered by an unrelated self-signed CA certificate sent by an initiator. Remote code execution cannot occur.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
siemens 6gk5876-3aa02-2ea2_firmware -
strongswan strongswan *
siemens 6gk5874-2aa00-2aa2_firmware -
fedoraproject fedora 34
siemens 6gk6108-4am00-2ba2_firmware -
siemens 6gk5876-4aa00-2da2_firmware -
siemens 6gk5615-0aa00-2aa2_firmware -
siemens 6gk5816-1ba00-2aa2_firmware -
siemens 6gk5874-3aa00-2aa2_firmware -
debian debian_linux 11.0
siemens 6gk5856-2ea00-3aa1_firmware -
fedoraproject fedora 35
siemens 6gk6108-4am00-2da2_firmware -
debian debian_linux 10.0
siemens 6gk5816-1aa00-2aa2_firmware -
siemens 6gk5876-3aa02-2ba2_firmware -
fedoraproject fedora 33
siemens 6gk5876-4aa00-2ba2_firmware -
siemens 6gk5812-1ba00-2aa2_firmware -
siemens 6gk5826-2ab00-2ab2_firmware -
siemens 6gk5856-2ea00-3da1_firmware -
siemens 6gk5812-1aa00-2aa2_firmware -
siemens 6gk5804-0ap00-2aa2_firmware -
CVE-2021-41991 MEDIUM

The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. The code attempts to select a less-often-used cache entry by means of a random number generator, but this is not done correctly. Remote code execution might be a slight possibility.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
siemens simatic_cp_1542sp-1_firmware -
debian debian_linux 9.0
siemens sinema_remote_connect_server -
siemens cp_1543-1_firmware -
strongswan strongswan *
siemens scalance_sc636-2c_firmware -
fedoraproject fedora 34
siemens siplus_et_200sp_cp_1542sp-1_irc_tx_rail_firmware -
siemens simatic_net_cp_1545-1_firmware -
debian debian_linux 10.0
siemens simatic_cp_1243-7_lte/us_firmware -
siemens simatic_cp_1543sp-1_firmware -
siemens scalance_sc622-2c_firmware -
siemens scalance_sc632-2c_firmware -
siemens siplus_et_200sp_cp_1543sp-1_isec_tx_rail_firmware -
siemens simatic_cp_1242-7_gprs_v2_firmware -
siemens siplus_et_200sp_cp_1543sp-1_isec_firmware -
siemens siplus_s7-1200_cp_1243-1_firmware -
siemens siplus_net_cp_1543-1_firmware -
siemens simatic_net_cp_1243-8_irc_firmware -
debian debian_linux 11.0
siemens simatic_cp_1542sp-1_irc_firmware -
fedoraproject fedora 35
fedoraproject fedora 33
siemens scalance_sc642-2c_firmware -
siemens simatic_net_cp1243-7_lte_eu_firmware -
siemens scalance_sc646-2c_firmware *
siemens simatic_cp_1243-1_firmware -
siemens siplus_s7-1200_cp_1243-1_rail_firmware -
CVE-2021-45079 MEDIUM

In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
fedoraproject extra_packages_for_enterprise_linux 8.0
debian debian_linux 9.0
canonical ubuntu_linux 14.04
fedoraproject extra_packages_for_enterprise_linux 7.0
strongswan strongswan *
fedoraproject fedora 34
canonical ubuntu_linux 18.04
canonical ubuntu_linux 20.04
fedoraproject extra_packages_for_enterprise_linux 9.0
debian debian_linux 11.0
fedoraproject fedora 35
debian debian_linux 10.0
canonical ubuntu_linux 21.10
canonical ubuntu_linux 16.04
CVE-2022-40617

strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data.

Products Affected

Vendor Product Version
debian debian_linux 10.0
canonical ubuntu_linux 14.04
strongswan strongswan *
fedoraproject fedora 37
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 20.04
debian debian_linux 11.0
canonical ubuntu_linux 22.04
stormshield stormshield_network_security *
CVE-2022-4967

strongSwan versions 5.9.2 through 5.9.5 are affected by authorization bypass through improper validation of certificate with host mismatch (CWE-297). When certificates are used to authenticate clients in TLS-based EAP methods, the IKE or EAP identity supplied by a client is not enforced to be contained in the client's certificate. So clients can authenticate with any trusted certificate and claim an arbitrary IKE/EAP identity as their own. This is problematic if the identity is used to make policy decisions. A fix was released in strongSwan version 5.9.6 in August 2022 (e4b4aabc4996fc61c37deab7858d07bc4d220136).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@ubuntu.com 7.7 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 3.1 4.0

Products Affected

Vendor Product Version
strongswan strongswan *
CVE-2023-26463

strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10.

Products Affected

Vendor Product Version
strongswan strongswan 5.9.9
strongswan strongswan 5.9.8
CVE-2023-41913

strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
strongswan strongswan *
CVE-2026-25998

strongMan is a management interface for strongSwan, an OpenSource IPsec-based VPN. When storing credentials in the database (private keys, EAP secrets), strongMan encrypts the corresponding database fields. So far it used AES in CTR mode with a global database key. Together with an initialization vector (IV), a key stream is generated to encrypt the data in the database fields. But because strongMan did not generate individual IVs, every database field was encrypted using the same key stream. An attacker that has access to the database can use this to recover the encrypted credentials. In particular, because certificates, which have to be considered public information, are also encrypted using the same mechanism, an attacker can directly recover a large chunk of the key stream, which allows them to decrypt basically all other secrets especially ECDSA private keys and EAP secrets, which are usually a lot shorter. Version 0.2.0 fixes the issue by switching to AES-GCM-SIV encryption with a random nonce and an individually derived encryption key, using HKDF, for each encrypted value. Database migrations are provided to automatically re-encrypt all credentials.

Products Affected

Vendor Product Version
strongswan strongman 0.1.0