Plattform
linux
Komponente
libreswan
Behoben in
3.29.1
CVE-2019-10155 describes a vulnerability in Libreswan, a widely used IPsec implementation. This flaw stems from a failure to properly verify integrity checks on encrypted IKEv1 informational exchange packets. While the packets are encrypted, the lack of integrity verification could lead to information disclosure. This vulnerability affects Libreswan versions prior to 3.29 and has been resolved in version 3.29.
The core of this vulnerability lies in Libreswan's handling of IKEv1 informational exchange packets. While these packets are encrypted and integrity protected using the established IKE Security Association (SA), the receiver fails to verify the integrity check value. This omission allows a malicious actor to craft and transmit modified packets, potentially injecting malicious data or commands into the VPN tunnel. Successful exploitation could lead to unauthorized access to internal network resources, data breaches, or even complete compromise of the VPN connection. The impact is particularly concerning for organizations heavily reliant on Libreswan for secure remote access and site-to-site VPN connectivity.
CVE-2019-10155 was publicly disclosed on June 12, 2019. There is no indication of active exploitation campaigns targeting this vulnerability at this time. The CVSS score of 3.1 (LOW) suggests a relatively low probability of exploitation, but the potential impact warrants prompt remediation. No KEV listing is currently available.
Organizations and individuals utilizing Libreswan for IPsec VPN connections, particularly those relying on IKEv1 for compatibility with older systems, are at risk. Shared hosting environments where Libreswan is deployed could also be affected if the underlying infrastructure is vulnerable.
• linux / server:
journalctl -u libreswan | grep -i ikev1• linux / server:
ps aux | grep libreswan• linux / server:
ss -t udp | grep 500disclosure
Exploit-Status
EPSS
0.22% (45% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2019-10155 is to upgrade to Libreswan version 3.29 or later. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing stricter firewall rules to limit IKEv1 traffic to trusted sources. While not a complete solution, this can reduce the attack surface. Monitor Libreswan logs for unusual activity related to IKEv1 exchanges. After upgrading, verify the integrity check functionality by initiating an IKEv1 connection and inspecting the packet flow using a network analyzer like Wireshark to confirm that integrity checks are being performed correctly.
Aktualisieren Sie Libreswan auf Version 3.29 oder höher. Dieses Update behebt die Schwachstelle in der Verarbeitung von IKEv1-Paketen. Besuchen Sie die Libreswan-Website für Anweisungen zum Aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-10155 is a vulnerability in Libreswan versions before 3.29 where integrity checks on IKEv1 informational exchange packets are not properly verified, potentially leading to information disclosure.
You are affected if you are using Libreswan versions prior to 3.29. Check your Libreswan version and upgrade if necessary.
Upgrade Libreswan to version 3.29 or later. If upgrading is not possible, consider disabling IKEv1 if it's not essential.
There is no public evidence of active exploitation of CVE-2019-10155 at this time.
Refer to the Libreswan security advisory: https://www.libreswan.org/security/advisories/cve-2019-10155
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.