Vulnerability Description
The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin in strongSwan 4.2.12 through 5.x before 5.3.4 does not properly validate local state, which allows remote attackers to bypass authentication via an empty Success message in response to an initial Challenge message.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Ubuntu Linux | 14.04 |
| Strongswan | Strongswan | 4.2.12 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00025.html
- http://lists.opensuse.org/opensuse-updates/2015-11/msg00139.html
- http://www.debian.org/security/2015/dsa-3398
- http://www.securityfocus.com/bid/84947
- http://www.ubuntu.com/usn/USN-2811-1
- https://www.strongswan.org/blog/2015/11/16/strongswan-vulnerability-%28cve-2015-
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00025.html
- http://lists.opensuse.org/opensuse-updates/2015-11/msg00139.html
- http://www.debian.org/security/2015/dsa-3398
- http://www.securityfocus.com/bid/84947
- http://www.ubuntu.com/usn/USN-2811-1
- https://www.strongswan.org/blog/2015/11/16/strongswan-vulnerability-%28cve-2015-
FAQ
What is CVE-2015-8023?
CVE-2015-8023 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin in strongSwan 4.2.12 through 5.x before 5.3.4 does not properly validate local state, which allows remote attackers to...
How severe is CVE-2015-8023?
CVE-2015-8023 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-8023?
Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Strongswan Strongswan.