Detections
Analytics

Debian dsa-6227 : charon-cmd - security update

high Nessus Plugin ID 309664

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6227 advisory.

 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6227-1 [email protected] https://www.debian.org/security/ Yves-Alexis Perez April 22, 2026 https://www.debian.org/security/faq
 - -------------------------------------------------------------------------

 Package : strongswan CVE ID : CVE-2026-35328 CVE-2026-35329 CVE-2026-35330 CVE-2026-35331 CVE-2026-35332 CVE-2026-35333 CVE-2026-35334

 Multiple vulnerabilities were fixed in strongSwan, an IKE/IPsec suite.

 CVE-2026-35328

 A vulnerability in libtls related to the processing of the supported_versions extension in TLS that can result in an infinite loop.

 CVE-2026-35329

 Vulnerabilities in libstrongswan and the pkcs7 plugin related to the processing of encrypted PKCS#7 containers that can result in a crash.

 CVE-2026-35330

 A vulnerability in libsimaka related to the processing of certain EAP-SIM/AKA attributes that can result in an infinite loop or a heap-based buffer overflow and potentially remote code execution.

 CVE-2026-35331

 A vulnerability in the constraints plugin related to the processing of X.509 name constraints that can allow authentication with certificates that violate the constraints.

 CVE-2026-35332

 A vulnerability in libtls related to the processing of ECDH public values in TLS < 1.3 that can result in a crash.

 CVE-2026-35333

 A vulnerability in libradius related to the processing of RADIUS attributes that can result in an infinite loop or an out-of-bounds read that may cause a crash.

 CVE-2026-35334

 A vulnerability in the gmp plugin related to RSA decryption that can result in a crash.

 For the oldstable distribution (bookworm), these problems have been fixed in version 5.9.8-5+deb12u4.

 For the stable distribution (trixie), these problems have been fixed in version 6.0.1-6+deb13u5.

 We recommend that you upgrade your strongswan packages.

 For the detailed security status of strongswan please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/strongswan

 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

 Mailing list: [email protected]

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the charon-cmd packages.

See Also

https://security-tracker.debian.org/tracker/source-package/strongswan

https://packages.debian.org/source/bookworm/strongswan

https://packages.debian.org/source/trixie/strongswan

https://security-tracker.debian.org/tracker/CVE-2026-35328

https://security-tracker.debian.org/tracker/CVE-2026-35329

https://security-tracker.debian.org/tracker/CVE-2026-35330

https://security-tracker.debian.org/tracker/CVE-2026-35331

https://security-tracker.debian.org/tracker/CVE-2026-35332

https://security-tracker.debian.org/tracker/CVE-2026-35333

https://security-tracker.debian.org/tracker/CVE-2026-35334

Plugin Details

Severity: High

ID: 309664

File Name: debian_DSA-6227.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 4/22/2026

Updated: 4/22/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2026-35334

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:strongswan-starter, p-cpe:/a:debian:debian_linux:strongswan-charon, p-cpe:/a:debian:debian_linux:charon-systemd, p-cpe:/a:debian:debian_linux:libcharon-extra-plugins, p-cpe:/a:debian:debian_linux:libstrongswan-standard-plugins, p-cpe:/a:debian:debian_linux:libstrongswan-extra-plugins, p-cpe:/a:debian:debian_linux:strongswan-nm, p-cpe:/a:debian:debian_linux:charon-cmd, p-cpe:/a:debian:debian_linux:strongswan-pki, p-cpe:/a:debian:debian_linux:strongswan-libcharon, p-cpe:/a:debian:debian_linux:libcharon-extauth-plugins, p-cpe:/a:debian:debian_linux:strongswan, p-cpe:/a:debian:debian_linux:libstrongswan, cpe:/o:debian:debian_linux:12.0, cpe:/o:debian:debian_linux:13.0, p-cpe:/a:debian:debian_linux:strongswan-swanctl

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 4/22/2026

Vulnerability Publication Date: 4/22/2026

Reference Information

CVE: CVE-2026-35328, CVE-2026-35329, CVE-2026-35330, CVE-2026-35331, CVE-2026-35332, CVE-2026-35333, CVE-2026-35334