Vulnerability to Strongswan IPSEC, allowing remote code execution

available release strongswan 5.9.10 , a free package for creating a VPN connection based on the IPSEC protocol used in Linux, Android, FreeBSD and MacOS. The new version is eliminated in the dangerous vulnerability ( ( ( ( ( a href=”″> cve-2023-26463 ), which can be used to dispense with authentication, but can also potentially lead to execution of an attacking code on the side of the server or client. The problem is manifested when checking specially executed certificates in the authentication methods EAP (Extensible Authentication Protocol) based on TLS. If the certificate cannot be successfully verified. In particular, when calling the TLS_Find_Public_KEY () function, a sampling based on the type of open key is used to determine the trusting certificates. The problem is that the variable used to determine the type of key for the search is set in any case, even if the certificate does not deserve trust.

Moreover, through manipulation with the key, you can reduce the reference counter (if the certificate does not deserve trust, the link to the object is released after determining the key type) and the release of memory for the still used object with the key. The considered short -work does not exclude the creation of exploites for organizing information leakage from memory and fulfilling your code.

The attack on the server is carried out by sending a customer to authenticate a client using the EAP-TLS, EAP-TTLS, EAP-PeAP and EAP-TNC methods. An attack on a client can be made through a server returning a specially designed certificate. Enough is manifested in the issues of Strongswan 5.9.8 and 5.9.9. Publishing packet updates in distributions can be traced on the pages: debian , ubuntu , gentoo , rheel , SUSE , arch , freedbsd , NetBSD .

/Media reports cited above.