DSA-3282-1 strongswan -- strongswanID: oval:org.secpod.oval:def:24884 | Date: (C)2015-06-12 (M)2021-06-02 |
Class: PATCH | Family: unix |
Alexander E. Patrakov discovered an issue in strongSwan, an IKE/IPsec suite used to establish IPsec protected links. When an IKEv2 client authenticates the server with certificates and the client authenticates itself to the server using pre-shared key or EAP, the constraints on the server certificate are only enforced by the client after all authentication steps are completed successfully. A rogue server which can authenticate using a valid certificate issued by any CA trusted by the client could trick the user into continuing the authentication, revealing the username and password digest or even the cleartext password .
Platform: |
Debian 8.x |
Debian 7.x |