6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.006 Low
EPSS
Percentile
77.6%
Severity: Low
Date : 2018-05-26
CVE-ID : CVE-2018-5388
Package : strongswan
Type : denial of service
Remote : No
Link : https://security.archlinux.org/AVG-710
The package strongswan before version 5.6.2-2 is vulnerable to denial
of service.
Upgrade to 5.6.2-2.
The problem has been fixed upstream but no release is available yet.
None.
strongSwan VPN’s charon server prior to version 5.6.3 is missing a
packet length check in stroke_socket.c, allowing a buffer overflow
which may lead to resource exhaustion and denial of service while
reading from the socket.
According to the vendor, an attacker must typically have local root
permissions to access the socket. However, other accounts and groups
such as the vpn group (if capability dropping in enabled, for example)
may also have sufficient permissions, but this configuration does not
appear to be the default behavior.
A local attacker with access to the VPN socket is able to crash the
service.
https://bugs.archlinux.org/task/58719
https://www.kb.cert.org/vuls/id/338343
https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=0acd1ab4
https://security.archlinux.org/CVE-2018-5388
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | strongswan | < 5.6.2-2 | UNKNOWN |
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.006 Low
EPSS
Percentile
77.6%