Libreswan Popular VPN Software Vulnerability - 20240419004

wagov · Apr 19, 2024 · c4c283c · c4c283c
1 parent ce33eaa
commit c4c283c
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/docs/advisories/20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md b/docs/advisories/20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md
@@ -0,0 +1,17 @@
+# Libreswan Popular VPN Software Vulnerability - 20240419004
+
+## Overview
+
+The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line. When the peer requests AES-GMAC, libreswan's default proposal handler causes an assertion failure and crashes and restarts.
+
+## What is vulnerable?
+
+| CVE    | Severity     | CVSS | Product(s) Affected | Summary | Dated |
+| ------ | ------------ | ---- | ------------------- | ------- | ----- |
+| [CVE-2024-3652](https://nvd.nist.gov/vuln/detail/CVE-2024-3652) | **High** | 7.5  | **Libreswan 3.22 - 4.14** |         |       |
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe  (refer [Patch Management](../guidelines/patch-management.md)):
+
+- https://libreswan.org/security/CVE-2024-3652/