An issue was discovered in Libreswan before 4.12. When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or ID_IPV6_ADDR receives an IDcr payload with ID_FQDN, a NULL pointer dereference causes a crash and restart of the pluto daemon. NOTE: the earliest affected version is 4.6.

The version of libreswan installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-38711 advisory.

  - An issue was discovered in Libreswan before 4.12. When an IKEv1 Quick Mode connection configured with     ID_IPV4_ADDR or ID_IPV6_ADDR receives an IDcr payload with ID_FQDN, a NULL pointer dereference causes a     crash and restart of the pluto daemon. NOTE: the earliest affected version is 4.6. (CVE-2023-38711)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the libreswan-4.12-1.el9 build changelog.

  - An issue was discovered in Libreswan before 4.12. When an IKEv2 Child SA REKEY packet contains an invalid     IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payload's     protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an     assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart.
    NOTE: the earliest affected version is 3.20. (CVE-2023-38710)

  - An issue was discovered in Libreswan before 4.12. When an IKEv1 Quick Mode connection configured with     ID_IPV4_ADDR or ID_IPV6_ADDR receives an IDcr payload with ID_FQDN, a NULL pointer dereference causes a     crash and restart of the pluto daemon. NOTE: the earliest affected version is 4.6. (CVE-2023-38711)

  - An issue was discovered in Libreswan 3.x and 4.x before 4.12. When an IKEv1 ISAKMP SA Informational     Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA,     such as a duplicated Delete/Notify message, a NULL pointer dereference on the deleted state causes the     pluto daemon to crash and restart. (CVE-2023-38712)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2023-7052 advisory.

    - Update to 4.12 to fix CVE-2023-38710, CVE-2023-38711, CVE-2023-38712

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2023-6549 advisory.

    - Update to 4.12 to fix CVE-2023-38710, CVE-2023-38711, CVE-2023-38712
    - Just bumping up the version to include bugs for CVE-2023-2295. There is no       code fix for it. Fix for it is including the code fix for CVE-2023-30570.
    - Fix CVE-2023-2295 Regression of CVE-2023-30570 fixes in the       Red Hat Enterprise Linux

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:7052 advisory.

    Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and     uses strong cryptography to provide both authentication and encryption services. These services allow you     to build secure tunnels through untrusted networks such as virtual private network (VPN).

    Security Fix(es):

    * libreswan: Invalid IKEv2 REKEY proposal causes restart (CVE-2023-38710)

    * libreswan: Invalid IKEv1 Quick Mode ID causes restart (CVE-2023-38711)

    * libreswan: Invalid IKEv1 repeat IKE SA delete causes crash and restart (CVE-2023-38712)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.9 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2023:7052 advisory.

  - An issue was discovered in Libreswan before 4.12. When an IKEv2 Child SA REKEY packet contains an invalid     IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payload's     protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an     assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart.
    NOTE: the earliest affected version is 3.20. (CVE-2023-38710)

  - An issue was discovered in Libreswan before 4.12. When an IKEv1 Quick Mode connection configured with     ID_IPV4_ADDR or ID_IPV6_ADDR receives an IDcr payload with ID_FQDN, a NULL pointer dereference causes a     crash and restart of the pluto daemon. NOTE: the earliest affected version is 4.6. (CVE-2023-38711)

  - An issue was discovered in Libreswan 3.x and 4.x before 4.12. When an IKEv1 ISAKMP SA Informational     Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA,     such as a duplicated Delete/Notify message, a NULL pointer dereference on the deleted state causes the     pluto daemon to crash and restart. (CVE-2023-38712)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:6549 advisory.

    Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and     uses strong cryptography to provide both authentication and encryption services. These services allow you     to build secure tunnels through untrusted networks such as virtual private network (VPN).

    Security Fix(es):

    * libreswan: Invalid IKEv2 REKEY proposal causes restart (CVE-2023-38710)

    * libreswan: Invalid IKEv1 Quick Mode ID causes restart (CVE-2023-38711)

    * libreswan: Invalid IKEv1 repeat IKE SA delete causes crash and restart (CVE-2023-38712)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.3 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-ddd6e6b49b advisory.

    Update to 4.12 for CVE-2023-38710, CVE-2023-38711 and CVE-2023-38712     addressing post-authentication denial of service attacks

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-dbc6d8a124 advisory.

    Update to 4.12 for CVE-2023-38710, CVE-2023-38711 and CVE-2023-38712     addressing post-authentication denial of service attacks

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
201674	CBL Mariner 2.0 Security Update: libreswan (CVE-2023-38711)	Nessus	MarinerOS Local Security Checks	medium
191308	CentOS 9 : libreswan-4.12-1.el9	Nessus	CentOS Local Security Checks	medium
186124	Oracle Linux 8 : libreswan (ELSA-2023-7052)	Nessus	Oracle Linux Local Security Checks	medium
185841	Oracle Linux 9 : libreswan (ELSA-2023-6549)	Nessus	Oracle Linux Local Security Checks	medium
185676	RHEL 8 : libreswan (RHSA-2023:7052)	Nessus	Red Hat Local Security Checks	medium
185624	CentOS 8 : libreswan (CESA-2023:7052)	Nessus	CentOS Local Security Checks	medium
185108	RHEL 9 : libreswan (RHSA-2023:6549)	Nessus	Red Hat Local Security Checks	medium
179995	Fedora 38 : libreswan (2023-ddd6e6b49b)	Nessus	Fedora Local Security Checks	medium
179994	Fedora 37 : libreswan (2023-dbc6d8a124)	Nessus	Fedora Local Security Checks	medium

Detections

Analytics

CVE-2023-38711

medium

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

medium

medium