CVE-2021-45079

Published: Jan 31, 2022Modified: Nov 21, 2024

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.

Affected (14)

Products: Strongswan: Strongswan · Debian: Debian Linux · Fedoraproject: Extra Packages For Enterprise Linux, Fedora · +1 more

Show all products

Strongswan: Strongswan · Debian: Debian Linux · Fedoraproject: Extra Packages For Enterprise Linux, Fedora · Canonical: Ubuntu Linux

1 product

1 product

2 products

Extra Packages For Enterprise Linux

Fedora

Canonical

1 product

Ubuntu Linux

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Strongswan Strongswan	From 4.1.2 to 5.9.5

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0
Debian Debian Linux	Version 9.0

Configuration C

5 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Extra Packages For Enterprise Linux	Version 7.0
Fedoraproject Extra Packages For Enterprise Linux	Version 8.0
Fedoraproject Extra Packages For Enterprise Linux	Version 9.0
Fedoraproject Fedora	Version 34
Fedoraproject Fedora	Version 35

Configuration D

5 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 20.04
Canonical Ubuntu Linux	Version 21.10

Related CWEs

CWE-476

NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

References (2)

https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-%28cve-2021-45079%29.html

Source: cve@mitre.org

https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-%28cve-2021-45079%29.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.