6.5 Medium
AI Score
Confidence
Low
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
76.9%
The server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin in strongSwan 4.2.12 through 5.x before 5.3.4 does not properly validate local state, which allows remote attackers to bypass authentication via an empty Success message in response to an initial Challenge message.
lists.opensuse.org/opensuse-security-announce/2015-12/msg00025.html
lists.opensuse.org/opensuse-updates/2015-11/msg00139.html
www.debian.org/security/2015/dsa-3398
www.securityfocus.com/bid/84947
www.ubuntu.com/usn/USN-2811-1
www.strongswan.org/blog/2015/11/16/strongswan-vulnerability-%28cve-2015-8023%29.html