Input validation error in strongswan (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2015-8023 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
strongswan (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Input validation error
EUVDB-ID: #VU32362
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2015-8023
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin in strongSwan 4.2.12 through 5.x before 5.3.4 does not properly validate local state, which allows remote attackers to bypass authentication via an empty Success message in response to an initial Challenge message.
MitigationInstall update from vendor's website.
Vulnerable software versionsstrongswan (Alpine package): 5.1.3-r0
CPE2.3 External linkshttps://git.alpinelinux.org/aports/commit/?id=6018b042c328b58a643e2db5997588a1aed58f36
https://git.alpinelinux.org/aports/commit/?id=e5f15c5c5e04dd9392353656258dd3d4c8cb2fbb
https://git.alpinelinux.org/aports/commit/?id=13c552a7cd38c9b1ec455073656e65abb433a94d
https://git.alpinelinux.org/aports/commit/?id=3adb6561f830cc6f7eade5e2c465e3f51bb0324e
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
