CVE-2023-47091 – This vulnerability in Stormshield Network Secur... (How to Fix)

Q: What is the severity of CVE-2023-47091?

CVE-2023-47091 has a CVSS score of 7.5 (HIGH). This vulnerability in Stormshield Network Security (SNS) firewalls allows attackers to overflow the cookie threshold, preventing IPsec connections from being established. It affects SNS versions 4.3.13-4.3.22, 4.6.0-4.6.9, and 4.7.0-4.7.1. Organizations using these versions for VPN connectivity are at risk.

📋 TL;DR

This vulnerability in Stormshield Network Security (SNS) firewalls allows attackers to overflow the cookie threshold, preventing IPsec connections from being established. It affects SNS versions 4.3.13-4.3.22, 4.6.0-4.6.9, and 4.7.0-4.7.1. Organizations using these versions for VPN connectivity are at risk.

💻 Affected Systems

Products:

Stormshield Network Security (SNS)

Versions: SNS 4.3.13 through 4.3.22, SNS 4.6.0 through 4.6.9, SNS 4.7.0 through 4.7.1

Operating Systems: Stormshield OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with IPsec VPN configured and enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of IPsec VPN services, disrupting remote access and site-to-site connectivity for extended periods.

🟠

Likely Case

Targeted IPsec connection failures affecting specific VPN tunnels or remote users.

🟢

If Mitigated

Limited impact with redundant VPN paths or alternative connectivity methods available.

🌐 Internet-Facing: HIGH - IPsec VPN endpoints are typically internet-facing and directly accessible to attackers.

🏢 Internal Only: LOW - This primarily affects external VPN connectivity rather than internal-only systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires network access to IPsec endpoints but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SNS 4.3.23, SNS 4.6.10, SNS 4.7.2

Vendor Advisory: https://advisories.stormshield.eu/2023-024/

Restart Required: Yes

Instructions:

1. Download the appropriate firmware update from Stormshield support portal. 2. Backup current configuration. 3. Apply the firmware update via web interface or CLI. 4. Reboot the firewall. 5. Verify VPN connectivity is restored.

🔧 Temporary Workarounds

Rate limit IPsec connections

all

Configure connection rate limiting to prevent cookie threshold overflow

# Configure via Stormshield CLI or web interface
# Set maximum concurrent IPsec connections per source IP

Temporary VPN alternative

all

Use SSL VPN or alternative remote access methods while patching

# Enable SSL VPN if available
# Configure alternative access methods

🧯 If You Can't Patch

Implement network-level rate limiting for IPsec traffic using upstream firewalls or IPS devices
Monitor IPsec connection attempts and block suspicious source IPs showing excessive connection attempts

🔍 How to Verify

Check if Vulnerable:

Check SNS firmware version via web interface (System > Information) or CLI command 'show version'

Check Version:

show version

Verify Fix Applied:

Verify firmware version is 4.3.23, 4.6.10, or 4.7.2 or higher, then test IPsec connectivity

📡 Detection & Monitoring

Log Indicators:

Multiple IPsec connection failures from single source IP
Cookie threshold exceeded messages in firewall logs
IPsec tunnel establishment failures

Network Indicators:

Excessive IKE/ISAKMP packets from single source
Failed IPsec phase 1 negotiations
Spike in UDP port 500/4500 traffic

SIEM Query:

source="stormshield-firewall" ("cookie threshold" OR "IPsec failure" OR "IKE failure") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-47091

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-120

Published: December 25, 2023

Last Updated: April 23, 2025

🔗 References

https://advisories.stormshield.eu Vendor Advisory
https://advisories.stormshield.eu/2023-024/ Vendor Advisory
https://advisories.stormshield.eu Vendor Advisory
https://advisories.stormshield.eu/2023-024/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47091, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Stormshield Network Security by Stormshield

Stormshield Network Security by Stormshield

Stormshield Network Security by Stormshield

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Rate limit IPsec connections

Temporary VPN alternative

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities