CVE-2015-8023 — Improper Input Validation in Strongswan

CWE-20 — Improper Input Validation CWE-2649 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

0.8%

top 25.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Strongswan Debian Strongswan Canonical Ubuntu Linux

Timeline

PublishedNov 18

Latest updateMay 14

Description

The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin in strongSwan 4.2.12 through 5.x before 5.3.4 does not properly validate local state, which allows remote attackers to bypass authentication via an empty Success message in response to an initial Challenge message.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/strongswan< strongswan 5.3.3-3 (bookworm)

▶Debianstrongswan/strongswan< 5.3.3-3+3

▶NVDstrongswan/strongswan41 versions+40

Also affects: Ubuntu Linux 14.04, 15.04, 15.10

🔴Vulnerability Details

GHSA

GHSA-4qm7-rm85-wr68: The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin in strongSwan 4↗2022-05-14

▶

OSV

CVE-2015-8023: The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin in strongSwan 4↗2015-11-18

▶

📋Vendor Advisories

Red Hat

strongswan: Authentication bypass in eap-mschapv2 plugin↗2015-11-16

▶

Ubuntu

strongSwan vulnerability↗2015-11-16

▶

Debian

CVE-2015-8023: strongswan - The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugi...↗2015

▶

💬Community

Bugzilla

CVE-2015-8023 strongswan: Authentication bypass in eap-mschapv2 plugin↗2015-11-18

▶