DSA-2665-1 strongswan -- authentication bypassID: oval:org.secpod.oval:def:601009 | Date: (C)2013-05-01 (M)2022-10-10 |
Class: PATCH | Family: unix |
Kevin Wojtysiak discovered a vulnerability in strongSwan, an IPsec based VPN solution. When using the openssl plugin for ECDSA based authentication, an empty, zeroed or otherwise invalid signature is handled as a legitimate one. An attacker could use a forged signature to authenticate like a legitimate user and gain access to the VPN . While the issue looks like CVE-2012-2388 , it is unrelated.