strongSwan, an IPsec-based VPN package used on Linux, Android, FreeBSD, and macOS, has identified a vulnerability (CVE-2023-41913) that can be used to remotely execute malicious code. The vulnerability is caused by an error in the charon-tkm process with the implementation of the key exchange protocol (IKE) based on TKMv2 (Trusted Key Manager), which leads to a buffer overflow when processing specially designed values of the DH scheme (Diffie–Hellman). The vulnerability only appears on systems that use charon-tkm and in strongSwan releases starting from 5.3.0. The issue was fixed in the strongSwan update 5.9.12.Patches have also been prepared to fix the vulnerability in branches starting from 5.3.x.
The error is caused by not checking the size of public Diffie-Hellman values before copying them to a fixed-size buffer on the stack. Overflow can be initiated by sending a special decorated IKE_SA_INIT message, processed without authentication. In older versions of strongSwan, size verification was performed in the KE payload handler (Key Exchange), but in version 5.3.0, changes were added that move the verification of public values to the DH protocol handler (Diffie-Hellman) and add standard functions to simplify checking the correctness of known DH groups. Due to an oversight, the new verification functions were forgotten to be added to the charon-tkm process, which acts as a proxy between the IKE process and TKM (Trusted Key Manager). As a result, the memcpy() function turned out to have unverified values that allow writing up to 10,000 bytes of data to a 512-byte buffer.
The error is caused by not checking the size of public Diffie-Hellman values before copying them to a fixed-size buffer on the stack. Overflow can be initiated by sending a special decorated IKE_SA_INIT message, processed without authentication. In older versions of strongSwan, size verification was performed in the KE payload handler (Key Exchange), but in version 5.3.0, changes were added that move the verification of public values to the DH protocol handler (Diffie-Hellman) and add standard functions to simplify checking the correctness of known DH groups. Due to an oversight, the new verification functions were forgotten to be added to the charon-tkm process, which acts as a proxy between the IKE process and TKM (Trusted Key Manager). As a result, the memcpy() function turned out to have unverified values that allow writing up to 10,000 bytes of data to a 512-byte buffer.
