CVE-2023-41913
📋 TL;DR
This vulnerability in strongSwan allows unauthenticated remote attackers to execute arbitrary code via a buffer overflow in the charon-tkm DH proxy. Attackers can trigger this by sending a crafted IKE_SA_INIT message with an oversized DH public value. Any system running vulnerable strongSwan versions with charon-tkm enabled is affected.
💻 Affected Systems
- strongSwan
📦 What is this software?
Strongswan by Strongswan
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with root privileges leading to complete system compromise, data exfiltration, and persistent backdoor installation.
Likely Case
Remote code execution leading to VPN gateway compromise, network pivoting, and credential theft.
If Mitigated
Denial of service if exploit fails or system crashes before code execution.
🎯 Exploit Status
The vulnerability is in the IKE_SA_INIT handshake phase before authentication, making exploitation straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.9.12 and later
Vendor Advisory: https://www.strongswan.org/blog/2023/11/20/strongswan-vulnerability-(cve-2023-41913).html
Restart Required: Yes
Instructions:
1. Download strongSwan 5.9.12 or later from strongswan.org or your distribution's repository. 2. Stop the strongSwan service. 3. Install the updated package. 4. Restart the strongSwan service.
🔧 Temporary Workarounds
Disable charon-tkm
linuxSwitch from charon-tkm to standard charon daemon if charon-tkm is not required.
Edit strongSwan configuration to use charon instead of charon-tkm
Restart strongSwan service
Network filtering
linuxBlock IKE traffic (UDP port 500 and 4500) from untrusted networks.
iptables -A INPUT -p udp --dport 500 -j DROP
iptables -A INPUT -p udp --dport 4500 -j DROP
🧯 If You Can't Patch
- Disable charon-tkm and use standard charon daemon instead
- Implement network segmentation to restrict VPN access to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check strongSwan version and if charon-tkm is enabled in configuration: strongswan --version and review ipsec.confCheck Version:
strongswan --versionVerify Fix Applied:
Verify version is 5.9.12 or higher: strongswan --version | grep -E '5\.9\.1[2-9]|5\.1[0-9]\.[0-9]+'📡 Detection & Monitoring
Log Indicators:
- IKE_SA_INIT messages with unusually large DH public values
- charon-tkm process crashes or abnormal termination
Network Indicators:
- IKE_SA_INIT packets with oversized payloads
- Multiple failed IKE handshakes from single source
SIEM Query:
source="strongswan" AND ("IKE_SA_INIT" AND "large" OR "buffer" OR "overflow") OR process="charon-tkm" AND event="crash"🔗 References
- https://github.com/strongswan/strongswan/releases
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPJZPYHBCRXUQGGKQE6TYH4J4RIJH6HO/
- https://www.strongswan.org/blog/2023/11/20/strongswan-vulnerability-%28cve-2023-41913%29.html
- https://github.com/strongswan/strongswan/releases
- https://lists.debian.org/debian-lts-announce/2023/11/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPJZPYHBCRXUQGGKQE6TYH4J4RIJH6HO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPJZPYHBCRXUQGGKQE6TYH4J4RIJH6HO/
- https://security.netapp.com/advisory/ntap-20250117-0003/
- https://www.strongswan.org/blog/2023/11/20/strongswan-vulnerability-%28cve-2023-41913%29.html
