CVE-2023-38710 Invalid IKEv2 REKEY proposal causes libreswan to restart

The Libreswan Project released a security patch affecting libreswan versions 3.0 to 4.11 that can cause vulnerable versions to restart on receiving malformed rekey request from authenticated peer.

CVE-2023-38711 Invalid IKEv1 Quick Mode ID causes libreswan to restart

The Libreswan Project released a security patch affecting libreswan versions 4.6 to 4.11 that can cause vulnerable versions to restart on receiving malformed IKEv1 Quick Mode packet from authenticated peer.

CVE-2023-38712 Invalid IKEv1 repeat IKE SA delete causes crash and restart

The Libreswan Project released a security patch affecting libreswan versions 3.20 to 4.11 that can cause vulnerable versions to restart or receiving ISAKMP SA Notify with Delete and other notifications such as duplicate Delete notification from authenticated peer causes a null pointer dereference causing libreswan to crash and restart.

Please upgrade to libreswan 4.12 (sig) or use the patch listed with the adviseries CVE-2023-38710, CVE-2023-38711 and CVE-2023-38712.

Libreswan VPN software

Libreswan is a free software implementation of the most widely supported and standardized VPN protocol using "IPsec" and the Internet Key Exchange ("IKE"). These standards are produced and maintained by the Internet Engineering Task Force ("IETF").

Libreswan has been under active development for over 20 years, going back to The FreeS/WAN Project founded in 1997 by John Gilmore and Hugh Daniel. For more information, see the project's History. Libreswan supports IKE versions 1 and 2. It runs on Linux 2.4 to 5.x, FreeBSD and Apple OSX. On Linux, it uses the built-in "XFRM" IPsec stack (linux-ipsec). It uses the NSS crypto library. The list of supported RFC's can be found at Implemented standards.

Download

Libreswan is licensed under the GNU Public License ("GPLv2"). See the License. It ships as part of many Linux distributions, including Fedora, RHEL/EPEL and Arch Linux and can be installed on those systems using the native software management tools. The source code is available as tarball and via our git repository. Older versions, patches and pre-compiled versions are available on our download site.

Configuration examples

Common configuration examples can be found in our Wiki. Furthermore, our test cases also document our behaviour. You can find test case results and log files on our daily testing site at testing.libreswan.org. And of course, the manual page of ipsec.conf documents the configuration options as well.