CVE-2023-26463
Published: 15 April 2023
Summary
CVE-2023-26463 is a critical-severity Improper Certificate Validation (CWE-295) vulnerability in Strongswan Strongswan. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
strongSwan versions 5.9.8 and 5.9.9 contain a use-after-free vulnerability stemming from reuse of a variable named "public" for two distinct purposes inside the same function. The flaw manifests as an initial access-control bypass followed by an expired pointer dereference and is reachable only when the daemon loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). The affected component is therefore any strongSwan server configured for these EAP methods.
An unauthenticated remote attacker can trigger the flaw by presenting a crafted client certificate during an EAP-TLS exchange. Successful exploitation yields remote code execution with the privileges of the charon process, enabling full compromise of the VPN gateway. The CVSS 3.1 base score of 9.8 reflects the absence of required authentication or user interaction and the complete confidentiality, integrity, and availability impact.
The issue is resolved in strongSwan 5.9.10; administrators are advised to upgrade immediately. Vendor advisories from strongSwan and NetApp reiterate that only servers exposing the listed EAP plugins are affected and that the fix eliminates the double use of the variable.
EPSS for the CVE rose from a low baseline to a peak of 0.1284 (currently 0.1154), indicating measurable post-disclosure exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-30283
Vulnerability details
strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector…
more
is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
When certificates are used to establish component provenance, the control requires correct certificate validation procedures.
Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.
Correct system time is required for proper enforcement of certificate notBefore/notAfter dates and time-based revocation checks.