CVE-2020-1763 – An unauthenticated attacker can crash the libre... (How to Fix)

Q: What is the severity of CVE-2020-1763?

CVE-2020-1763 has a CVSS score of 7.5 (HIGH). An unauthenticated attacker can crash the libreswan pluto daemon by sending specially-crafted IKEv1 Informational Exchange packets, causing a denial of service. The daemon automatically respawns after crashing. This affects libreswan versions 3.27 through 3.31.

📋 TL;DR

An unauthenticated attacker can crash the libreswan pluto daemon by sending specially-crafted IKEv1 Informational Exchange packets, causing a denial of service. The daemon automatically respawns after crashing. This affects libreswan versions 3.27 through 3.31.

💻 Affected Systems

Products:

libreswan

Versions: 3.27 through 3.31

Operating Systems: Linux distributions using affected libreswan versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects IKEv1 Informational Exchange packets. IKEv2 is not vulnerable.

📦 What is this software?

Libreswan by Libreswan

View all CVEs affecting Libreswan →

Libreswan by Libreswan

View all CVEs affecting Libreswan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial of service attacks could disrupt VPN connectivity by repeatedly crashing the pluto daemon, though it automatically restarts.

🟠

Likely Case

Temporary VPN service disruption during attack, with automatic recovery when daemon respawns.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring to detect and block malicious IKE traffic.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation via IKEv1 packets makes internet-facing systems particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but requires network access to the VPN endpoint.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in packet parsing code and requires sending malformed IKEv1 packets. Proof of concept is available in the bug reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.32 and later

Vendor Advisory: https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt

Restart Required: Yes

Instructions:

1. Update libreswan to version 3.32 or later using your distribution's package manager. 2. Restart the pluto daemon or reboot the system.

🔧 Temporary Workarounds

Disable IKEv1

linux

If IKEv1 is not required, disable it to prevent exploitation via this protocol.

Edit /etc/ipsec.conf and remove or comment out IKEv1 configurations
Restart ipsec service: systemctl restart ipsec

Network filtering

linux

Block IKEv1 Informational Exchange packets at network perimeter.

iptables -A INPUT -p udp --dport 500 -m string --hex-string '|28|' --algo bm -j DROP
iptables -A INPUT -p udp --dport 4500 -m string --hex-string '|28|' --algo bm -j DROP

🧯 If You Can't Patch

Implement network segmentation to restrict access to VPN endpoints
Deploy intrusion detection/prevention systems to monitor for IKEv1 exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check libreswan version: ipsec --version | grep Libreswan

Check Version:

ipsec --version | grep Libreswan

Verify Fix Applied:

Verify version is 3.32 or higher: ipsec --version | grep Libreswan

📡 Detection & Monitoring

Log Indicators:

Pluto daemon crash logs in /var/log/secure or system logs
Repeated pluto daemon restarts

Network Indicators:

Unusual IKEv1 Informational Exchange packets from single sources
Spike in UDP port 500/4500 traffic

SIEM Query:

source="*secure*" "pluto" AND ("crash" OR "segfault" OR "restart")

📊 Metadata

CVE ID: CVE-2020-1763

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

Published: May 12, 2020

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1813329 Issue Tracking,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1763 Issue Tracking,Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf Third Party Advisory
https://github.com/libreswan/libreswan/commit/471a3e41a449d7c753bc4edbba4239501bb62ba8 Patch,Third Party Advisory
https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt Patch,Vendor Advisory
https://security.gentoo.org/glsa/202007-21 Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04 Third Party Advisory,US Government Resource
https://www.debian.org/security/2020/dsa-4684 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1813329 Issue Tracking,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1763 Issue Tracking,Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-379803.pdf Third Party Advisory
https://github.com/libreswan/libreswan/commit/471a3e41a449d7c753bc4edbba4239501bb62ba8 Patch,Third Party Advisory
https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt Patch,Vendor Advisory
https://security.gentoo.org/glsa/202007-21 Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-040-04 Third Party Advisory,US Government Resource
https://www.debian.org/security/2020/dsa-4684 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-1763, you might also want to check these: