VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 31, 2022· Updated May 6, 2025

CVE-2022-40617

CVE-2022-40617

Description

A crafted certificate with malicious revocation-check URLs can cause strongSwan's revocation plugin to hang, enabling a denial-of-service attack before trust validation completes.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A crafted certificate with malicious revocation-check URLs can cause strongSwan's revocation plugin to hang, enabling a denial-of-service attack before trust validation completes.

Vulnerability

In strongSwan before version 5.9.8, the revocation plugin performs online certificate revocation checks (OCSP or CRL) inline while traversing the certificate chain. When an attacker sends a crafted end-entity or intermediate CA certificate containing untrusted OCSP URIs or CRL distribution points (CDPs) that point to a server under the attacker's control, the credential manager processes these URIs before the chain is fully validated. This means the revocation check occurs when the intermediate CA certificate may still be untrusted, allowing the attacker's server to respond slowly, stall after the TCP handshake, or send excessive data. The vulnerability affects all strongSwan versions using the revocation plugin or similar custom plugins [1].

Exploitation

The attacker must be a remote peer capable of initiating IKE_SAs (e.g., using IKEv1 or IKEv2) and sending crafted X.509 certificates with specifically chosen OCSP URIs or CDP URLs. The attacker controls a server that will respond to those URLs in a way that causes a delay or consumes resources—such as doing nothing after the TCP handshake, or sending an excessive amount of application data. The victim strongSwan instance will attempt to retrieve revocation information from those URLs while validating the certificate chain, leading to a hang or resource exhaustion before the chain is rejected due to lack of a trusted issuer [1].

Impact

Successful exploitation results in a denial-of-service (DoS) condition on the victim strongSwan server. The revocation plugin becomes unresponsive or consumes excessive resources, preventing legitimate IKE_SA processing and potentially causing service disruption. The attacker does not gain any authentication or further access; the impact is limited to availability [1].

Mitigation

The vulnerability is fixed in strongSwan release 5.9.8, published on 2022-10-03 [1]. Users should upgrade to this version or later. If upgrading is not immediately possible, administrators can disable the revocation plugin (revocation=no in strongSwan configuration) as a workaround, though this reduces security by not checking certificate revocation status. No EOL status or KEV listing is noted in the references [1][2].

References
  1. strongSwan - strongSwan Vulnerability (CVE-2022-40617)
  2. lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J3GAYIOCSLU57C45CO4UE4IV4JZE4W3L/

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

12

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.