[3.3] strongswan: Authentication bypass vulnerability in eap-mschapv2 plugin (CVE-2015-8023)
An authentication bypass vulnerability in the eap-mschapv2 plugin was
fixed that enabled malicious
clients to trick the server into concluding the EAP-MSCHAPv2 authentication successfully without
providing valid credentials, actually, without providing any credentials at all.
It was caused by insufficient verification of the internal state when handling EAP-MSCHAPv2 Success messages from clients.
since 4.2.12, up to and including 5.3.3.
(from redmine: issue id 4876, created on 2015-11-17, closed on 2015-12-02)
- parent #4875 (closed)