IPSEC Memory disclosure and DDoS Risks

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2023-008 CVE-2023-0286 01/25/2023 low v1

Vulnerability details

The Certification Revocation List check may be vulnerable under specifics circunstances

Impacted products

ProductsSeverityDetail
Stormshield Network Security low SNS is impacted

Revisions

Version Date Description
v1 02/21/2023 Initial release
v2 05/02/2023 Add EAL version


Stormshield Network Security

CVSS v3.1 Overall Score: 3.9      

Analysis

Impacted version

If attacker controls certificate chain and CRL, in some cases he can read the contents of the memory or cause a denial of service.
  • SNS 2.7.0 to 2.7.10
  • SNS 2.8.0 to 3.7.33
  • SNS 3.8.0 to 3.11.21
  • SNS 4.0.0 to 4.3.15
  • SNS 4.4.0 to 4.6.2

Workaround solution

Solution

There is no workaround solution.

The following versions fix this vulnerability

  • 2.7.11
  • 3.7.34
  • 3.11.22
  • 4.3.12.1
  • 4.3.16
  • 4.6.3


Attack Vector Attack Complexity Privileges Required User Interaction Scope Confidentiality Impact Integrity Impact Availability impact
Network High None None Unchanged Low None None
CVSS Base score: 3.7 CVSS Vector: (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploit Code Maturity Remediation Level Report Confidence
Unproven that exploit exists Official fix Confirmed
CVSS Temporal score: 3.2 CVSS Vector: (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Confidentiality Requirement Integrity Requirement Availability Requirement
High High High
CVSS Environmental score: 3.9 CVSS Vector: (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)