In strongswan, a vulnerability (CVE-2023-41913) has been revealed in the VPN packet based on the IPSEC protocol used in Linux, Android, FreeBSD, and MacOS. This vulnerability can be exploited by attackers to insert malicious code. The vulnerability is caused by an error in the Charon-TKM process when implementing the key exchange protocol based on tkmv2 (Trusted Key Manager). This error leads to a buffer overflow when processing specially designed values of the Diffie-shellman scheme. It is important to note that this vulnerability only impacts systems using Charon-TKM and Strongswan releases from version 5.3.0 onwards. However, the issue has been resolved in the latest update of strongswan, version 5.9.12. Patches have also been prepared to address the vulnerability in branches starting from version 5.3.x.
The vulnerability arises from the lack of size verification of the Diffie-Shellman public values before copying them into a fixed-size buffer in the glass. The overflow can be triggered by sending a specially crafted IKE_SA_init message, which is processed without authentication. In previous versions of strongswan, size checks were performed in the KE Payload (Key Exchange) processor. However, in version 5.3.0, changes were introduced to verify public values for the DH protocol (diffie-shellman) and add standard functions to facilitate the correctness of well-known DH groups. Unfortunately, the new check functions were inadvertently omitted in the Charon-TKM process, which acts as a proxy between the IKE and TKM (Trusted Key Manager) process. Therefore, unverified values were being used in Memcpy() functions, allowing up to 10,000 bytes of data to be written into a 512-byte buffer.