CVE-2023-30570: 
NixOS vulnerability analysis and mitigation

CVE-2023-30570 affects pluto in Libreswan versions 3.28 through 4.10, allowing a denial of service attack through responder SPI mishandling and daemon crash. The vulnerability was discovered in March 2023 and publicly disclosed on May 3, 2023. The issue specifically impacts the IKEv1 Aggressive Mode functionality in Libreswan, which is an implementation of IPsec and IKE for Linux (Libreswan Advisory).

The vulnerability occurs when an IKEv1 Aggressive Mode packet is received with only unacceptable crypto algorithms, causing the response packet to be sent with an incorrect responder SPI value. When a subsequent packet is received where the sender reuses the libreswan responder SPI, the pluto daemon state machine crashes. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a denial of service condition when exploited. When packets are sent continuously, it can cause the libreswan pluto daemon to repeatedly crash and restart, disrupting VPN services. No remote code execution is possible through this vulnerability (Libreswan Advisory).

The vulnerability is fixed in Libreswan version 4.11 and later. As a workaround, users can convert IKEv1 Aggressive Mode connections to IKEv2 or IKEv1 Main Mode connections. If this is not feasible, upgrading to version 4.11 or later is recommended. Red Hat has released security updates for affected versions in Red Hat Enterprise Linux 8 (Red Hat Advisory).