[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 345-1] strongswan security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : strongswan
Version        : 4.4.1-5.8
CVE ID         : CVE-2015-8023

Tobias Brunner found an authentication bypass vulnerability in
strongSwan, an IKE/IPsec suite.

Due to insufficient validation of its local state the server
implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin
can be tricked into successfully concluding the authentication without
providing valid credentials.

It's possible to recognize such attacks by looking at the server logs.
The following log message would be seen during the client
authentication:

  EAP method EAP_MSCHAPV2 succeeded, no MSK established
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCgAGBQJWTcSfAAoJEG3bU/KmdcCl0tAH/RkL50MXvu79k6sB31Ucyi2q
2OIM5q7DdZ6aa7C6xR+lXXkSP7DAdXKpaYbtTUs5Y3cbe3h2hh53Mss+83+RngCW
aq6D+5xMeOaKi1erIicHtieoprYRONCKgwKdIR30PzPIh6ZKrC0GFvNCCm/+kJUL
0TFs4zbHXNaZs8827Uy+mXZeVGjGQzSc9kEUNOcdI896G+vSlHo94rphn7c2QL1v
HZi92sJMtHupvxIF3fpDG6lyi1Pj7Xln3gTnkVHsekeX6BInYJLGCpSbiDSHnRhv
hLnHsMxHTFw2k+XITIwIDDBIV87jgA4FAAs++h3+1e9YXG6JnLOWHTqbz0TdQT4=
=G+vt
-----END PGP SIGNATURE-----


Reply to: