strongMan, the management interface for the open-source strongSwan IPsec VPN, encrypts sensitive credentials such as private keys and EAP secrets before storing them in its database. Prior to version 0.2.0, strongMan used AES in CTR mode with a global database key and a static initialization vector (IV) for all encrypted fields. This design flaw caused the same key stream to be reused across multiple encrypted database entries, violating a fundamental cryptographic principle that key streams must never be reused with the same key in stream ciphers or modes like AES-CTR. Because certificates, which are public and also encrypted with this scheme, are accessible, an attacker with read access to the database can recover the key stream by XORing the ciphertext with the known plaintext of certificates. This recovered key stream then enables decryption of all other encrypted secrets, including ECDSA private keys and EAP secrets, which are typically shorter and more sensitive. The vulnerability is classified under CWE-323 (Reusing a Nonce, Key Pair in Encryption) and CWE-1204 (Improper Use of a Cryptographic Primitive). The fix in version 0.2.0 replaces AES-CTR with AES-GCM-SIV, which provides nonce misuse resistance, uses random nonces, and derives individual encryption keys per value using HKDF. Database migration scripts are provided to re-encrypt all stored credentials securely. The vulnerability has a CVSS 4.0 score of 8.7, reflecting its high impact and ease of exploitation given database access without requiring authentication or user interaction. No known exploits are currently reported in the wild.

The vulnerability allows an attacker with read access to the strongMan database to decrypt all encrypted credentials, including private keys and EAP secrets. This compromises the confidentiality and integrity of VPN authentication materials, potentially allowing unauthorized access to VPN infrastructure. Attackers could impersonate legitimate VPN users or decrypt VPN traffic if private keys are compromised. The breach of EAP secrets also undermines authentication mechanisms. Since strongMan manages strongSwan VPN credentials, this vulnerability threatens the security of VPN deployments worldwide that rely on strongMan for credential management. Organizations using vulnerable versions risk exposure of sensitive cryptographic material, leading to potential network intrusion, data exfiltration, and lateral movement within corporate networks. The vulnerability does not affect availability directly but severely impacts confidentiality and integrity. The ease of exploitation (no authentication or user interaction needed) and the broad scope of affected credentials make this a critical risk for organizations using strongMan versions prior to 0.2.0.

Organizations should immediately upgrade strongMan to version 0.2.0 or later, which implements AES-GCM-SIV encryption with random nonces and per-value derived keys, eliminating key stream reuse. They must run the provided database migration scripts to securely re-encrypt all stored credentials. Access controls to the strongMan database should be strictly enforced to prevent unauthorized read access, including network segmentation and strong authentication for database access. Audit and monitor database access logs for suspicious activity. If upgrading is not immediately possible, consider isolating the database and restricting access to trusted administrators only. Additionally, rotate all VPN credentials and keys managed by strongMan after remediation to invalidate any potentially compromised secrets. Regularly review cryptographic implementations and ensure adherence to best practices such as unique nonces and key derivation per encryption operation to prevent similar vulnerabilities.