CVE-2015-4171

Publication date 8 June 2015

Last updated 24 July 2024

strongSwan 4.3.0 through 5.x before 5.3.2 and strongSwan VPN Client before 1.4.6, when using EAP or pre-shared keys for authenticating an IKEv2 connection, does not enforce server authentication restrictions until the entire authentication process is complete, which allows remote servers to obtain credentials by using a valid certificate and then reading the responses.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
strongswan	17.04 zesty	Fixed 5.1.2-0ubuntu6
	16.10 yakkety	Fixed 5.1.2-0ubuntu6
	16.04 LTS xenial	Fixed 5.1.2-0ubuntu6
	15.10 wily	Fixed 5.1.2-0ubuntu6
	15.04 vivid	Fixed 5.1.2-0ubuntu5.2
	14.10 utopic	Fixed 5.1.2-0ubuntu3.3
	14.04 LTS trusty	Fixed 5.1.2-0ubuntu2.3
	12.04 LTS precise	Ignored

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-2628-1
strongSwan vulnerability
8 June 2015

Other references

http://www.openwall.com/lists/oss-security/2015/05/29/6
https://www.strongswan.org/blog/2015/06/08/strongswan-vulnerability-%28cve-2015-4171%29.html
https://www.cve.org/CVERecord?id=CVE-2015-4171