Home

CVE-2015-8023

Description

The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin in strongSwan 4.2.12 through 5.x before 5.3.4 does not properly validate local state, which allows remote attackers to bypass authentication via an empty Success message in response to an initial Challenge message.

Risk Information

Base Score
9.8
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.799

Associated Vulnerability

VulnerabilityOS Platform
IPsec VPN solution (USN-2811-1) strongswan-plugin-eap-mschapv2_5.1.2-0ubuntu5.3_i386.debLinux
IPsec VPN solution (USN-2811-1) strongswan-plugin-eap-mschapv2_5.1.2-0ubuntu5.3_amd64.debLinux
IPsec VPN solution (USN-2811-1) strongswan-plugin-eap-mschapv2_5.1.2-0ubuntu6.2_i386.debLinux
IPsec VPN solution (USN-2811-1) strongswan-plugin-eap-mschapv2_5.1.2-0ubuntu6.2_amd64.debLinux
SUSE-SU-2015:2183-2(SUSE Linux Enterprise Desktop 12-SP1 ) strongswan-5.1.3-22.1.x86_64.rpmLinux
SUSE-SU-2015:2183-2(SUSE Linux Enterprise Desktop 12-SP1 ) strongswan-debugsource-5.1.3-22.1.x86_64.rpmLinux
SUSE-SU-2015:2183-2(SUSE Linux Enterprise Desktop 12-SP1 ) strongswan-doc-5.1.3-22.1.noarch.rpmLinux
SUSE-SU-2015:2183-2(SUSE Linux Enterprise Server 12-SP1 ) strongswan-hmac-5.1.3-22.1.x86_64.rpmLinux
SUSE-SU-2015:2183-2(SUSE Linux Enterprise Desktop 12-SP1 ) strongswan-ipsec-5.1.3-22.1.x86_64.rpmLinux
SUSE-SU-2015:2183-2(SUSE Linux Enterprise Desktop 12-SP1 ) strongswan-ipsec-debuginfo-5.1.3-22.1.x86_64.rpmLinux
SUSE-SU-2015:2183-2(SUSE Linux Enterprise Desktop 12-SP1 ) strongswan-libs0-5.1.3-22.1.x86_64.rpmLinux
SUSE-SU-2015:2183-2(SUSE Linux Enterprise Desktop 12-SP1 ) strongswan-libs0-debuginfo-5.1.3-22.1.x86_64.rpmLinux
SUSE-SU-2015:2186-1(SUSE Linux Enterprise Desktop 11-SP3 ) strongswan-4.4.0-6.32.1.x86_64.rpmLinux
SUSE-SU-2015:2186-1(SUSE Linux Enterprise Desktop 11-SP3 ) strongswan-doc-4.4.0-6.32.1.x86_64.rpmLinux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234