CVE-2015-3991 – CVE-2015-3991 is a critical vulnerability in st... (How to Fix)

Q: What is the severity of CVE-2015-3991?

CVE-2015-3991 has a CVSS score of 9.8 (CRITICAL). CVE-2015-3991 is a critical vulnerability in strongSwan VPN software that allows remote attackers to crash the daemon or execute arbitrary code. It affects strongSwan versions 5.2.2 and 5.3.0. Any system running these vulnerable versions with strongSwan exposed to untrusted networks is at risk.

📋 TL;DR

CVE-2015-3991 is a critical vulnerability in strongSwan VPN software that allows remote attackers to crash the daemon or execute arbitrary code. It affects strongSwan versions 5.2.2 and 5.3.0. Any system running these vulnerable versions with strongSwan exposed to untrusted networks is at risk.

💻 Affected Systems

Products:

strongSwan

Versions: 5.2.2 and 5.3.0

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both client and server implementations. Any configuration using vulnerable versions is affected.

📦 What is this software?

Strongswan by Strongswan

View all CVEs affecting Strongswan →

Strongswan by Strongswan

View all CVEs affecting Strongswan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete system compromise

🟠

Likely Case

Denial of service through daemon crash disrupting VPN connectivity

🟢

If Mitigated

Limited impact if strongSwan is behind firewalls with restricted network access

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation possible

🏢 Internal Only: MEDIUM - Internal attackers could exploit if network access exists

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation details were publicly disclosed in advisories. The vulnerability is in the IKEv2 protocol implementation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.3, 5.3.1, and later versions

Vendor Advisory: https://www.strongswan.org/blog/2015/06/01/strongswan-vulnerability-(cve-2015-3991).html

Restart Required: Yes

Instructions:

1. Update strongSwan to version 5.2.3 or 5.3.1 or later. 2. Use your distribution's package manager: 'apt-get update && apt-get upgrade strongswan' (Debian/Ubuntu) or 'yum update strongswan' (RHEL/CentOS). 3. Restart the strongSwan service: 'systemctl restart strongswan' or equivalent.

🔧 Temporary Workarounds

Network segmentation

linux

Restrict network access to strongSwan services using firewall rules

iptables -A INPUT -p udp --dport 500 -s trusted_network -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j DROP
iptables -A INPUT -p udp --dport 4500 -s trusted_network -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j DROP

🧯 If You Can't Patch

Implement strict firewall rules to limit access to strongSwan ports (500/udp and 4500/udp) only from trusted networks
Monitor strongSwan logs for crash events and implement intrusion detection for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check strongSwan version: 'strongswan --version' or 'ipsec --version'. If output shows 5.2.2 or 5.3.0, system is vulnerable.

Check Version:

strongswan --version

Verify Fix Applied:

After update, verify version is 5.2.3, 5.3.1 or later. Test VPN connectivity remains functional.

📡 Detection & Monitoring

Log Indicators:

strongSwan daemon crashes in system logs
Unexpected termination of charon or pluto processes
Failed IKEv2 negotiations from suspicious sources

Network Indicators:

Malformed IKEv2 packets to UDP ports 500/4500
Spike in IKEv2 traffic from single sources

SIEM Query:

source="strongswan" AND (event="crash" OR event="terminated") OR destination_port IN (500, 4500) AND protocol="UDP" AND packet_size>threshold

📊 Metadata

CVE ID: CVE-2015-3991

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-19

Published: September 7, 2017

Last Updated: April 20, 2025

🔗 References

http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164276.html Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164278.html Third Party Advisory
http://www.securityfocus.com/bid/76861 Third Party Advisory,VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1222815 Issue Tracking,Third Party Advisory
https://www.strongswan.org/blog/2015/06/01/strongswan-vulnerability-%28cve-2015-3991%29.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164276.html Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164278.html Third Party Advisory
http://www.securityfocus.com/bid/76861 Third Party Advisory,VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1222815 Issue Tracking,Third Party Advisory
https://www.strongswan.org/blog/2015/06/01/strongswan-vulnerability-%28cve-2015-3991%29.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-3991, you might also want to check these: