CVE-2023-38712: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in Libreswan versions 3.x and 4.x before 4.12, identified as CVE-2023-38712. The issue occurs when an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message. This vulnerability was disclosed on August 25, 2023, affecting the Libreswan IPsec implementation (NVD).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) issue. When processing IKEv1 ISAKMP SA Informational Exchange packets, a NULL pointer dereference occurs on the deleted state, which leads to the pluto daemon crashing and restarting. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is on service availability. When successfully exploited, it causes the pluto daemon (the main IKE daemon in Libreswan) to crash and restart, potentially disrupting active VPN connections and causing temporary service interruptions (Red Hat).

The vulnerability has been fixed in Libreswan version 4.12. Users are advised to upgrade to this version or later to address the security issue. Red Hat has released security updates for affected versions in their Enterprise Linux distributions (Red Hat Advisory).