strongswan -- Information Leak Vulnerability

ID 10D14955-0E45-11E5-B6A8-002590263BF5
Type freebsd
Reporter FreeBSD
Modified 2015-06-08T00:00:00


strongSwan Project reports:

An information leak vulnerability was fixed that, in certain IKEv2 setups, allowed rogue servers with a valid certificate accepted by the client to trick it into disclosing user credentials (even plain passwords if the client accepts EAP-GTC). This was caused because constraints against the server's authentication were enforced too late. All versions since 4.3.0 are affected.