CVE-2021-45079

In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.

CVSS v3 9.1 CRITICAL
CVSS v2.0 5.8 MEDIUM

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:P

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-%28cve-2021-45079%29.html

Configurations

Configuration 1 (hide)

cpe:2.3:a:strongswan:strongswan:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:::::::*
	cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:::::::*
	cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:9.0:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 4 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:20.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:21.10:::::::*

History

07 Nov 2023, 03:39

Type	Values Removed	Values Added
References	{'url': 'https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).html', 'name': 'https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).html', 'tags': ['Mitigation', 'Vendor Advisory'], 'refsource': 'MISC'}	() https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-%28cve-2021-45079%29.html -

12 Jul 2022, 17:42

Type	Values Removed	Values Added
CWE	~~CWE-287~~	CWE-476

14 Jun 2022, 14:38

Type	Values Removed	Values Added
CPE	cpe:2.3:a:fedoraproject:fedora_extra_packages_for_enterprise_linux:7.0:::::::*	cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:::::::*

07 Feb 2022, 17:57

Type	Values Removed	Values Added
First Time		Debian debian Linux Debian Fedoraproject fedora Extra Packages For Enterprise Linux Strongswan strongswan Canonical ubuntu Linux Fedoraproject fedora Canonical Strongswan Fedoraproject extra Packages For Enterprise Linux Fedoraproject
CPE		cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:::::::* cpe:2.3:a:fedoraproject:fedora_extra_packages_for_enterprise_linux:7.0:::::::* cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:9.0:::::::* cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm::: cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm::: cpe:2.3:o:canonical:ubuntu_linux:21.10:::::::* cpe:2.3:o:debian:debian_linux:10.0:::::::* cpe:2.3:a:strongswan:strongswan:::::::: cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:o:debian:debian_linux:9.0:::::::* cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts::: cpe:2.3:o:fedoraproject:fedora:34:::::::* cpe:2.3:o:fedoraproject:fedora:35:::::::* cpe:2.3:o:canonical:ubuntu_linux:20.04::::lts:::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 5.8 v3 : 9.1
References	~~(MISC) https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).html -~~	(MISC) https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).html - Mitigation, Vendor Advisory
CWE		CWE-287

31 Jan 2022, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-01-31 08:15

Updated : 2023-12-10 14:09

NVD link : CVE-2021-45079

Mitre link : CVE-2021-45079

CVE.ORG link : CVE-2021-45079

JSON object : View

Products Affected

debian

debian_linux

fedoraproject

extra_packages_for_enterprise_linux
fedora

strongswan

strongswan

canonical

ubuntu_linux

CWE

CWE-476

NULL Pointer Dereference

9.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.8 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2021-45079

9.1^/10

5.8^/10

Attach tags to `CVE-2021-45079`