{
  "threat_severity" : "Moderate",
  "public_date" : "2024-03-11T00:00:00Z",
  "bugzilla" : {
    "description" : "libreswan: Missing PreSharedKey for connection can cause crash",
    "id" : "2268952",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2268952"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service.", "A flaw was found in Libreswan. This issue causes Libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret), and the connection cannot find a matching configured secret. When automatically added on startup using the auto= keyword, it can cause repeated crashes, leading to a denial of service." ],
  "statement" : "Libreswan may restart repeatedly under certain IKEv2 retransmission scenarios when using PreSharedKeys (authby=secret) if the connection cannot find a matching configured secret. If such a connection is added automatically on startup using the auto= keyword, it can lead to repeated crashes, causing a denial of service. The vulnerability arises when IKEv2 fails to find its PreSharedKey for the AUTH payload in the IKE_AUTH Exchange, resulting in assertion failure and daemon crashes. This vulnerability is triggered by local misconfiguration, and there is no known exploitation by external peers.",
  "acknowledgement" : "Red Hat would like to thank Andrew Vaughn for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-04-23T00:00:00Z",
    "advisory" : "RHSA-2024:1998",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "libreswan-0:4.12-2.el8_9.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2082",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.6",
    "package" : "libreswan-0:4.5-1.el8_6.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2081",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.8",
    "package" : "libreswan-0:4.9-3.el8_8.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-24T00:00:00Z",
    "advisory" : "RHSA-2024:2033",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "libreswan-0:4.12-1.el9_3.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2565",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "libreswan-0:4.12-2.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2024-12-02T00:00:00Z",
    "advisory" : "RHSA-2024:10594",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "libreswan-0:4.6-3.el9_0.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2085",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "libreswan-0:4.9-5.el9_2.1"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.15",
    "release_date" : "2025-01-02T00:00:00Z",
    "advisory" : "RHBA-2024:11565",
    "cpe" : "cpe:/a:redhat:openshift:4.15::el9",
    "package" : "libreswan-0:4.6-3.el9_0.3"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.16",
    "release_date" : "2025-01-02T00:00:00Z",
    "advisory" : "RHBA-2024:11505",
    "cpe" : "cpe:/a:redhat:openshift:4.16::el9",
    "package" : "libreswan-0:4.6-3.el9_0.3"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.17",
    "release_date" : "2025-01-02T00:00:00Z",
    "advisory" : "RHBA-2024:11525",
    "cpe" : "cpe:/a:redhat:openshift:4.17::el9",
    "package" : "libreswan-0:4.6-3.el9_0.3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "libreswan",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "libreswan",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-2357\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-2357\nhttps://github.com/libreswan/libreswan/commit/cb9e1047d33fde695d63a95854c2bc2470a476c8.patch\nhttps://libreswan.org/security/CVE-2024-2357" ],
  "name" : "CVE-2024-2357",
  "mitigation" : {
    "value" : "As a workaround to prevent the misconfiguration from causing the crash, place an unguessable long random \"catch-all\" secret in /etc/ipsec.secrets, for example, using the following command:\necho -e \"# CVE-2024-2357 workaround\\n: PSK \\\"$(openssl rand -hex 32)\\\"\" >> /etc/ipsec.secrets\nThis will ensure a PSK secret is always found, but it will always be wrong, and thus authentication will still properly fail.",
    "lang" : "en:us"
  },
  "csaw" : false
}