In strongSwan prior to 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
strongswan strongswan |
||
debian debian linux 9.0 |
||
debian debian linux 10.0 |
||
debian debian linux 11.0 |
||
fedoraproject fedora 34 |
||
fedoraproject extra packages for enterprise linux 8.0 |
||
fedoraproject fedora 35 |
||
fedoraproject extra packages for enterprise linux 9.0 |
||
fedoraproject extra packages for enterprise linux 7.0 |
||
canonical ubuntu linux 18.04 |
||
canonical ubuntu linux 14.04 |
||
canonical ubuntu linux 20.04 |
||
canonical ubuntu linux 16.04 |
||
canonical ubuntu linux 21.10 |