CVE-2024-3652: 
Rocky Linux vulnerability analysis and mitigation

CVE-2024-3652 affects Libreswan, an implementation of IPsec and IKE for Linux, in versions 3.22 through 4.14. The vulnerability was discovered when Libreswan would restart when using IKEv1 without specifying an esp= line. The issue specifically occurs when a peer requests AES-GMAC, causing libreswan's default proposal handler to trigger an assertion failure, resulting in a crash and restart. Notably, IKEv2 connections are not affected by this vulnerability (NVD, OSS Security).

The vulnerability stems from a flaw in the computeprotokeymat() function, which fails to properly handle unexpected proposals where the keymat size is 0, such as in the case of AES-GMAC used with NULL encryption. This implementation error leads to an assertion failure routine being called. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a network-accessible vulnerability with low attack complexity (NVD).

The primary impact of this vulnerability is a denial of service condition affecting the Libreswan service. When exploited, it causes the service to crash and restart, potentially disrupting VPN connections. It's important to note that no Remote Code Execution is possible through this vulnerability (OSS Security).

The vulnerability has been fixed in Libreswan versions 4.15+ and 5.0+. Organizations running affected versions (3.22 - 4.14) should upgrade to a patched version. Systems running Libreswan versions 3.0 - 3.21 are not vulnerable to this issue (OSS Security).