CVE-2021-41991: 
strongSwan vulnerability analysis and mitigation

The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow vulnerability discovered by researchers at the NSA. The vulnerability affects all versions since 4.2.10 when the certificate cache is enabled (which is the default setting). The issue occurs when replacing certificates in the cache once it becomes full (Strongswan Blog).

When the in-memory certificate cache becomes full (32 slots), the code attempts to find a slot that has been used less than or equal to half the average use count. It uses a random offset to start the search, but if the random() function returns a very high value close to RAND_MAX (usually 2^31-1), this can cause an integer overflow in the index calculation, resulting in an out-of-bounds array access at a negative index value. This leads to a double-dereference and a call using out-of-bounds memory (Strongswan Blog).

The primary impact is a denial of service through a segmentation fault when the vulnerability is triggered. While remote code execution cannot be completely ruled out, it is considered unlikely since attackers have no control over the dereferenced memory. Triggering the bug reliably requires thousands of requests over approximately 1-2 days (Strongswan Blog, Debian Security).

The vulnerability is fixed in strongSwan version 5.9.4. For older versions, patches are available for versions 4.4.1 and newer. Systems that don't have the in-memory certificate cache enabled (charon.cert_cache) are not vulnerable, though this is enabled by default (Strongswan Blog, Fedora Update).