A high-severity vulnerability in StrongSwan’s EAP-TTLS AVP parser could be exploited remotely, without authentication, to take VPN services offline.
An open source IPsec VPN solution that provides client and server encryption and authentication, StrongSwan supports Windows, Linux, macOS, Android, and other platforms, and is widely used across enterprise environments.
The software supports, among other authentication methods, Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS), which relies on Attribute-Value Pairs (AVPs) to pass authentication data through a TLS tunnel.
Last week, StrongSwan warned that all versions from 4.5.0 to 6.0.4 are affected by an integer underflow bug in the EAP-TTLS AVP parser that could be abused to crash the process by supplying crafted AVP data with invalid length fields.
“Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon,” a NIST advisory reads.
The issue exists because the parser does not check the AVP’s length value, which leads to a 32-bit integer underflow for length values between 0 and 7, StrongSwan explains.
While this leads to resource exhaustion if memory allocation succeeds, allocating large amounts of memory may fail, resulting in a null-pointer dereference and a segmentation fault, it says.
According to Bishop Fox, successful exploitation of the flaw requires a two-phase attack, where a malicious packet corrupts the heap and a second packet triggers the segmentation fault, crashing the daemon.
The cybersecurity firm discovered that the crash is triggered based on how the system handles the impossibly large allocation request. While in some cases NULL is immediately returned, in others the daemon crashes only when corrupted structures are used in a subsequent request.
The vulnerability was addressed in StrongSwan version 6.0.5, which adds the required validation of AVP length values during the parsing operation.
Related: Critical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise
Related: TP-Link Patches High-Severity Router Vulnerabilities
Related: Cisco Patches Multiple Vulnerabilities in IOS Software
Related: iOS, macOS 26.4 Roll Out With Fresh Security Patches
