cbcvebase.
CVE-2021-45079
published 2022-01-31

CVE-2021-45079: In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP…

PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
2.76%
84.4th percentile
In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.

Affected

25 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianstrongswan< strongswan 5.9.5-1 (bookworm)strongswan 5.9.5-1 (bookworm)
fedoraprojectextra_packages_for_enterprise_linux
fedoraprojectextra_packages_for_enterprise_linux
fedoraprojectextra_packages_for_enterprise_linux
fedoraprojectfedora
fedoraprojectfedora
msrccbl2_strongswan_5.9.5-1_on_cbl_mariner_2.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_strongswan_5.7.2-5_on_cbl_mariner_1.0
strongswanstrongswan>= 0 < 5.9.1-1+deb11u25.9.1-1+deb11u2
strongswanstrongswan>= 0 < 5.9.5-15.9.5-1
strongswanstrongswan>= 0 < 5.9.5-15.9.5-1
strongswanstrongswan>= 0 < 5.9.5-15.9.5-1
strongswanstrongswan>= 4.1.2 < 5.9.55.9.5

Detection & IOCsextracted from sources · hover to see the quote

  • A malicious IKEv2 responder sends an EAP-Success message prematurely (before completing actual client authentication), which can be detected by monitoring for EAP-Success messages arriving out of the expected EAP exchange sequence in IKEv2 traffic.
  • The vulnerability affects strongSwan versions before 5.9.5; detection should focus on identifying unpatched strongSwan instances (prior to 5.9.5) acting as IKEv2 initiators that may accept premature EAP-Success messages.
  • Exploitation can result in a crash (denial of service) or authentication bypass; monitor strongSwan daemon logs for unexpected EAP-Success handling, crashes, or successful IKEv2 session establishment without completed mutual authentication.
  • ·The authentication bypass is specifically exploitable when EAP methods with mutual authentication are used, or when EAP-only authentication for IKEv2 is configured; deployments not using these EAP modes have reduced exposure.
  • ·Fixed versions are strongSwan 5.9.5 (upstream) and Debian-specific backports (5.9.1-1+deb11u2 for bullseye); ensure the running strongSwan version meets or exceeds these thresholds.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:P
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_msrc9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.