CVE-2023-38710
CVSS 3.1 Score 6.5 of 10 (medium)
Details
Published Aug 25, 2023
Updated: Dec 11, 2023
Summary
CVE-2023-38710 is a vulnerability affecting Libreswan before version 4.12. When the IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of either 0 or 1, an error notify INVALID_SPI is sent back. The issue arises due to the code failing to validate the outgoing packet's protocol ID, which should be ESP (2) or AH(3). Instead, the protocol ID from the incoming packet is copied, leading to a crash and restart of the pluto daemon. This vulnerability first appeared in Libreswan version 3.20.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Share
Affected Products
- Libreswan