CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
AI Score
Confidence
High
EPSS
Percentile
92.5%
Libreswan is a free software implementation of the most widely supported and standarized VPN protocol based on (“IPsec”) and the Internet Key Exchange (“IKE”).
The pluto IKE daemon in Libreswan, when built with NSS, allows remote attackers to cause a Denial of Service (assertion failure and daemon restart) via a zero DH g^x value in a KE payload in a IKE packet. Additionally, remote attackers could cause a Denial of Service (daemon restart) via an IKEv1 packet with (1) unassigned bits set in the IPSEC DOI value or (2) the next payload value set to ISAKMP_NEXT_SAK.
Remote attackers could possibly cause Denial of Service.
There is no known workaround at this time.
All Libreswan users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/libreswan-3.15"
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Gentoo | any | all | net-misc/libreswan | < 3.15 | UNKNOWN |