CVE-2015-8023

Publication date 16 November 2015

Last updated 24 July 2024

Ubuntu priority

The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin in strongSwan 4.2.12 through 5.x before 5.3.4 does not properly validate local state, which allows remote attackers to bypass authentication via an empty Success message in response to an initial Challenge message.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
strongswan	17.04 zesty	Fixed 5.1.2-0ubuntu7
	16.10 yakkety	Fixed 5.1.2-0ubuntu7
	16.04 LTS xenial	Fixed 5.1.2-0ubuntu7
	15.10 wily	Fixed 5.1.2-0ubuntu6.2
	15.04 vivid	Fixed 5.1.2-0ubuntu5.3
	14.04 LTS trusty	Fixed 5.1.2-0ubuntu2.4
	12.04 LTS precise	Ignored

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-2811-1
strongSwan vulnerability
16 November 2015

Other references

https://www.strongswan.org/blog/2015/11/16/strongswan-5.3.4-released.html
https://www.cve.org/CVERecord?id=CVE-2015-8023