CVE-2023-47091 in Network Security
Summary
by MITRE • 12/25/2023
An issue was discovered in Stormshield Network Security (SNS) SNS 4.3.13 through 4.3.22 before 4.3.23, SNS 4.6.0 through 4.6.9 before 4.6.10, and SNS 4.7.0 through 4.7.1 before 4.7.2. An attacker can overflow the cookie threshold, making an IPsec connection impossible.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/20/2026
This vulnerability affects Stormshield Network Security appliances running specific versions of the SNS software where an attacker can exploit a cookie overflow condition that prevents IPsec connections from being established. The issue manifests when the cookie threshold is exceeded during the IPsec negotiation process, effectively blocking secure tunnel establishment. This represents a critical denial-of-service condition that undermines the fundamental security functionality of the appliance. The vulnerability impacts multiple version streams including 4.3.13 through 4.3.22, 4.6.0 through 4.6.9, and 4.7.0 through 4.7.1, before their respective patched releases, indicating a widespread issue within the product line. The flaw falls under CWE-129 Input Validation, specifically involving improper validation of cookie data sizes during IPsec protocol handling. From an operational perspective, this vulnerability creates a significant security risk as it allows attackers to disrupt network connectivity and potentially gain unauthorized access to network resources by preventing legitimate IPsec tunnels from forming. The attack vector requires an attacker to be positioned within the network or to have some form of access to send crafted packets that trigger the cookie overflow condition.
The technical implementation of this vulnerability involves the IPsec protocol stack within the Stormshield appliance where cookie validation occurs during the security association negotiation phase. When the cookie size exceeds the predetermined threshold, the system fails to properly handle the overflow condition and terminates the IPsec connection process entirely. This behavior creates a predictable denial-of-service scenario where an attacker can reliably prevent legitimate users from establishing secure connections. The vulnerability demonstrates poor error handling and input validation practices within the IPsec implementation, as the system does not gracefully manage oversized cookie values. The attack requires minimal privileges and can be executed remotely, making it particularly dangerous in network environments where IPsec tunnels are critical for secure communications. The implementation follows ATT&CK technique T1499.004 for Network Denial of Service, where the attacker leverages protocol implementation flaws to disrupt network services. This vulnerability essentially allows an attacker to perform a network-level disruption attack that affects the core security infrastructure of the appliance.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the entire security posture of networks relying on Stormshield appliances for IPsec connectivity. Organizations may experience extended downtime while investigating and resolving the issue, leading to productivity losses and potential regulatory compliance violations. The vulnerability could be exploited as part of a broader attack campaign targeting network infrastructure, where the attacker first disrupts IPsec connectivity to isolate network segments or create opportunities for additional attacks. Recovery from this vulnerability requires applying the vendor patches that address the cookie validation logic and implement proper overflow handling. The remediation process should include thorough testing of IPsec connectivity after patch deployment to ensure that legitimate connections are restored. Security teams should also monitor for potential exploitation attempts in their network traffic logs, as the attack pattern would be detectable through anomalous IPsec negotiation failures. The vulnerability highlights the importance of proper input validation and error handling in network security appliances, particularly those implementing complex protocols like IPsec that require strict adherence to specification requirements. Organizations using affected versions should immediately implement network segmentation and monitoring controls to detect and respond to potential exploitation attempts while planning for patch deployment.