CVE-2015-8023

strongSwan <5.3.4 - Auth Bypass

Title source: llm
STIX 2.1

Description

The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin in strongSwan 4.2.12 through 5.x before 5.3.4 does not properly validate local state, which allows remote attackers to bypass authentication via an empty Success message in response to an initial Challenge message.

References (6)

Core 6
Core References
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2015-11/msg00139.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/84947
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3398
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2811-1

Scores

EPSS 0.0258
EPSS Percentile 83.4%

Details

CWE
CWE-20 CWE-264
Status published
Products (44)
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 15.04
canonical/ubuntu_linux 15.10
strongswan/strongswan 4.2.12
strongswan/strongswan 4.2.13
strongswan/strongswan 4.2.14
strongswan/strongswan 4.2.15
strongswan/strongswan 4.2.16
strongswan/strongswan 4.3.0
strongswan/strongswan 4.3.1
... and 34 more
Published Nov 18, 2015
Tracked Since Feb 18, 2026