CVE-2023-2295 – This vulnerability in libreswan's IKEv1 Aggress... (How to Fix)

Q: What is the severity of CVE-2023-2295?

CVE-2023-2295 has a CVSS score of 7.5 (HIGH). This vulnerability in libreswan's IKEv1 Aggressive Mode implementation causes the pluto daemon to crash when receiving specially crafted packets. It affects systems running vulnerable versions of libreswan, particularly Red Hat Enterprise Linux 8.8 and 9.2. No remote code execution is possible, but the denial of service can disrupt VPN connectivity.

📋 TL;DR

This vulnerability in libreswan's IKEv1 Aggressive Mode implementation causes the pluto daemon to crash when receiving specially crafted packets. It affects systems running vulnerable versions of libreswan, particularly Red Hat Enterprise Linux 8.8 and 9.2. No remote code execution is possible, but the denial of service can disrupt VPN connectivity.

💻 Affected Systems

Products:

libreswan

Versions: Specific versions in Red Hat Enterprise Linux 8.8 and 9.2 (regression from CVE-2023-30570 fix)

Operating Systems: Red Hat Enterprise Linux 8.8, Red Hat Enterprise Linux 9.2

Default Config Vulnerable: ✅ No

Notes: Only affects systems using IKEv1 Aggressive Mode. IKEv2 and IKEv1 Main Mode are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial of service attacks could repeatedly crash the pluto daemon, disrupting VPN connectivity and requiring manual intervention to restart services.

🟠

Likely Case

Temporary VPN service disruption due to daemon crashes, requiring service restarts to restore functionality.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring; service can be quickly restored after crashes.

🌐 Internet-Facing: MEDIUM - VPN gateways exposed to the internet could be targeted for denial of service attacks, but exploitation requires specific IKEv1 Aggressive Mode configuration.

🏢 Internal Only: LOW - Internal attackers with network access could exploit, but requires specific VPN configuration and knowledge of the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specific IKEv1 Aggressive Mode packets and understanding of SPI handling in libreswan.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libreswan-4.9-4.el8_8 and libreswan-4.9-4.el9_2

Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:3107

Restart Required: Yes

Instructions:

1. Update libreswan package using yum update libreswan. 2. Restart the pluto service: systemctl restart ipsec. 3. Verify the service is running: systemctl status ipsec.

🔧 Temporary Workarounds

Disable IKEv1 Aggressive Mode

linux

Prevent exploitation by disabling IKEv1 Aggressive Mode in libreswan configuration

Edit /etc/ipsec.conf and ensure no connections use 'aggressive' mode
Restart ipsec: systemctl restart ipsec

🧯 If You Can't Patch

Disable IKEv1 Aggressive Mode in all VPN configurations
Implement network controls to restrict IKEv1 Aggressive Mode traffic to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check libreswan version: rpm -q libreswan. If version is affected (e.g., libreswan-4.9-3.el8_8) and IKEv1 Aggressive Mode is enabled, system is vulnerable.

Check Version:

rpm -q libreswan

Verify Fix Applied:

Verify updated version: rpm -q libreswan should show libreswan-4.9-4.el8_8 or later. Check ipsec service status: systemctl status ipsec.

📡 Detection & Monitoring

Log Indicators:

Pluto daemon crash logs in /var/log/secure or system logs
Repeated ipsec service restarts

Network Indicators:

Unusual IKEv1 Aggressive Mode traffic patterns
VPN connection failures following specific packet sequences

SIEM Query:

source="ipsec" AND ("crash" OR "segfault" OR "pluto")

📊 Metadata

CVE ID: CVE-2023-2295

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: May 17, 2023

Last Updated: January 22, 2025

🔗 References

https://access.redhat.com/errata/RHSA-2023:3107 Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:3148 Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-2295 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2189777 Issue Tracking
https://access.redhat.com/errata/RHSA-2023:3107 Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:3148 Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-2295 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2189777 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2295, you might also want to check these: