CVE-2008-4551

2008-10-1420:00:00

CWE-399

[email protected]

web.nvd.nist.gov

cve-2008-4551

strongswan

denial of service

remote attack

ike_sa_init

null pointer dereference

6.7 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.025 Low

EPSS

Percentile

90.1%

JSON

strongSwan 4.2.6 and earlier allows remote attackers to cause a denial of service (daemon crash) via an IKE_SA_INIT message with a large number of NULL values in a Key Exchange payload, which triggers a NULL pointer dereference for the return value of the mpz_export function in the GNU Multiprecision Library (GMP).

CPENameOperatorVersion
strongswan:strongswanstrongswaneq2.4.3
strongswan:strongswanstrongswaneq2.5.7
strongswan:strongswanstrongswaneq2.4.2
strongswan:strongswanstrongswaneq4.1.8
strongswan:strongswanstrongswaneq4.1.11
strongswan:strongswanstrongswaneq2.2.2
strongswan:strongswanstrongswaneq2.5.3
strongswan:strongswanstrongswaneq2.6.0
strongswan:strongswanstrongswaneq2.3.0
strongswan:strongswanstrongswaneq4.1.1

CPE	Name	Operator	Version
strongswan:strongswan	strongswan	eq	2.4.3
strongswan:strongswan	strongswan	eq	2.5.7
strongswan:strongswan	strongswan	eq	2.4.2
strongswan:strongswan	strongswan	eq	4.1.8
strongswan:strongswan	strongswan	eq	4.1.11
strongswan:strongswan	strongswan	eq	2.2.2
strongswan:strongswan	strongswan	eq	2.5.3
strongswan:strongswan	strongswan	eq	2.6.0
strongswan:strongswan	strongswan	eq	2.3.0
strongswan:strongswan	strongswan	eq	4.1.1