Release and vulnerability announcements for strongSwan

strongSwan 5.9.8 Released

We are happy to announce the release of strongSwan 5.9.8, which fixes a denial-of-service vulnerability related to online certificate revocation checks, supports SCEP and EST via pki tool and comes with several other new features and fixes.

Vulnerability Related to Online Certificate Revocation Checks (CVE-2022-40617)

A vulnerability related to online certificate revocation checking was fixed. It was caused because the revocation plugin used potentially untrusted OCSP URIs and CRL distribution points in certificates. This allowed a remote attacker to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which could have lead to a denial-of-service attack. All strongSwan versions may be affected.

More information is provided in a separate blog entry.

SCEP and EST in the pki Tool

The new pki --scep|--scepca commands implement the HTTP-based "Simple Certificate Enrollment Protocol" (RFC 8894 SCEP) replacing the old and long deprecated scepclient tool that has been removed.

The new pki --est|estca commands implement the HTTPS-based "Enrollment over Secure Transport" (RFC 7070 EST) protocol.

Also, the pki --req command can create a certificate request based on an existing PKCS#10 template by replacing the public key and re-generating the signature with the new private key.

Later ike_updown() Event for IKEv2

For IKEv2, the ike_updown() "up" event and the state change to IKE_ESTABLISHED are now triggered after all IKE-related tasks are done. This ensures the IKE_SA is actually fully established, which now includes any assigned virtual IPs, additional MOBIKE peer addresses or a reauthentication time updated via AUTH_LIFETIME notify. This was e.g. an issue for the selinux plugin if virtual IPs were used.

Other Notable Features and Fixes

  • The ike_cfg_t object is now always replaced together with the peer_cfg_t object that's set on an IKE_SA during authentication. This is more consistent and allows to properly take into account some settings that are also relevant during IKE_AUTH (e.g. childless) and it was actually already handled this way during rekeying/reestablishing of IKE_SAs and e.g. for the DSCP setting.
  • The gcm plugin has been enabled by default, so that the TLS 1.3 unit tests (now indirectly enabled if the pki tool is built due to the implementation of EST) can be completed successfully with just the default plugins.
  • The socket plugins don't set the SO_REUSEADDR option anymore on the IKE UDP sockets, so an error is triggered if e.g. two daemons (e.g. charon and charon-systemd) are running concurrently using the same ports.

Download Complete Changelog