IPSEC PEM DoS

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2023-010 CVE-2022-4450 01/25/2023 low v1

Vulnerability details

Malicious PEM files may be able to achieve denial of service on IPSEC module.

Impacted products

ProductsSeverityDetail
Stormshield Network Security low SNS is impacted

Revisions

Version Date Description
v1 02/21/2023 Initial release
v2 05/02/2023 Add EAL version


Stormshield Network Security

CVSS v3.1 Overall Score: 3.9      

Analysis

Impacted version

It is possible to construct a PEM file that results in 0 bytes of payload data. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.
  • SNS 4.0.0 to 4.3.15
  • SNS 4.4.0 to 4.6.2

Workaround solution

Solution

There is no workaround solution.

The following versions fix this vulnerability

  • 4.3.12.1
  • 4.3.16
  • 4.6.3


Attack Vector Attack Complexity Privileges Required User Interaction Scope Confidentiality Impact Integrity Impact Availability impact
Network High None None Unchanged None None Low
CVSS Base score: 3.7 CVSS Vector: (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Exploit Code Maturity Remediation Level Report Confidence
Unproven that exploit exists Official fix Confirmed
CVSS Temporal score: 3.2 CVSS Vector: (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Confidentiality Requirement Integrity Requirement Availability Requirement
High High High
CVSS Environmental score: 3.9 CVSS Vector: (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)