CVE-2023-26463
Published: 2 March 2023
strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10.
Notes
Author | Note |
---|---|
mdeslaur | upstream: "Affected are strongSwan versions 5.9.8 and 5.9.9." introduced by 63fd718915b5 ("libtls: call create_public_enumerator() with key_type") fix is already in master |
Priority
Status
Package | Release | Status |
---|---|---|
strongswan Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
focal |
Not vulnerable
(code not present)
|
|
jammy |
Not vulnerable
(code not present)
|
|
kinetic |
Not vulnerable
(code not present)
|
|
lunar |
Released
(5.9.8-3ubuntu3)
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Released
(5.9.10)
|
|
xenial |
Not vulnerable
(code not present)
|
|
Patches: upstream: https://github.com/strongswan/strongswan/commit/4d3fc90cafc1ee15e90f7af354ae2270fdce994e upstream: https://download.strongswan.org/security/CVE-2023-26463/strongswan-5.9.8-5.9.9_tls_auth_bypass_exp_pointer.patch |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |