Vulnerability Description
In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Strongswan | Strongswan | >= 4.1.2, < 5.9.5 |
| Debian | Debian Linux | 9.0 |
| Fedoraproject | Extra Packages For Enterprise Linux | 7.0 |
| Fedoraproject | Fedora | 34 |
| Canonical | Ubuntu Linux | 14.04 |
Related Weaknesses (CWE)
References
- https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-%28cve-2021-
- https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-%28cve-2021-
FAQ
What is CVE-2021-45079?
CVE-2021-45079 is a vulnerability with a CVSS score of 9.1 (CRITICAL). In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EA...
How severe is CVE-2021-45079?
CVE-2021-45079 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-45079?
Check the references section above for vendor advisories and patch information. Affected products include: Strongswan Strongswan, Debian Debian Linux, Fedoraproject Extra Packages For Enterprise Linux, Fedoraproject Fedora, Canonical Ubuntu Linux.