Wiz
Vulnerability DatabaseCVE-2022-40617

CVE-2022-40617
strongSwan vulnerability analysis and mitigation

Overview

strongSwan before version 5.9.8 contains a vulnerability (CVE-2022-40617) related to online certificate revocation checking that can lead to a denial-of-service attack. The vulnerability was discovered by Lahav Schlesinger and publicly disclosed on October 3, 2022. The issue affects the revocation plugin in strongSwan, which handles certificate validation and revocation checking (StrongSwan Blog).

Technical details

The vulnerability exists in the credential manager component of strongSwan, which performs online certificate revocation checks inline while traversing the certificate chain. The issue occurs because the certificate chain might not be trusted when the revocation plugin accesses contained URIs. This allows attackers to send crafted end-entity and intermediate CA certificates with URIs pointing to servers under their control, forcing strongSwan to connect to these servers. The vulnerability has a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Ubuntu CVE).

Impact

The vulnerability can lead to denial-of-service attacks through two main vectors. First, if the attacker's server completes the TCP handshake but sends no data, it can block worker threads indefinitely due to the lack of an overall timeout. Multiple such connections can prevent the daemon from processing any further IKE messages or events. Second, if the server sends excessive data, it can potentially exhaust the host's memory since the fetched OCSP/CRL data is stored without upper limits. This could force the system's OOM killer to terminate the IKE daemon (StrongSwan Blog).

Mitigation and workarounds

The vulnerability was fixed in strongSwan version 5.9.8 by implementing a new approach that creates a trusted certificate chain before starting online revocation checks. For older releases, the strongSwan project provides patches that fix the vulnerability for versions 5.1.0 and newer. Systems not using the revocation plugin are not directly vulnerable, though similar issues could exist if custom plugins implement the validate() method of the cert_validator_t interface (StrongSwan Blog).

Additional resources

SourceThis report was generated using AI

Related strongSwan vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2023-41913CRITICAL9.8
  • strongSwanstrongSwan
  • strongswan-tnc-imcvs
NoYesDec 07, 2023
CVE-2023-26463CRITICAL9.8
  • strongSwanstrongSwan
  • strongswan
NoYesApr 15, 2023
CVE-2025-62291HIGH8.1
  • strongSwanstrongSwan
  • strongswan
NoYesJan 16, 2026
CVE-2022-40617HIGH7.5
  • strongSwanstrongSwan
  • strongswan
NoYesOct 31, 2022
CVE-2022-4967MEDIUM6.5
  • strongSwanstrongSwan
  • cpe:2.3:a:strongswan:strongswan
NoYesMay 14, 2024

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo