strongSwan versions 5.9.2 through 5.9.5 are affected by authorization bypass through improper validation of certificate with host mismatch (CWE-297). When certificates are used to authenticate clients in TLS-based EAP methods, the IKE or EAP identity supplied by a client is not enforced to be contained in the client's certificate. So clients can authenticate with any trusted certificate and claim an arbitrary IKE/EAP identity as their own. This is problematic if the identity is used to make policy decisions. A fix was released in strongSwan version 5.9.6 in August 2022 (e4b4aabc4996fc61c37deab7858d07bc4d220136).
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_name": "charon-cmd", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "charon-cmd-dbgsym", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "charon-systemd", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "charon-systemd-dbgsym", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "libcharon-extauth-plugins", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "libcharon-extauth-plugins-dbgsym", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "libcharon-extra-plugins", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "libcharon-extra-plugins-dbgsym", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "libstrongswan", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "libstrongswan-dbgsym", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "libstrongswan-extra-plugins", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "libstrongswan-extra-plugins-dbgsym", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "libstrongswan-standard-plugins", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "libstrongswan-standard-plugins-dbgsym", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "strongswan", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "strongswan-charon", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "strongswan-charon-dbgsym", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "strongswan-libcharon", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "strongswan-libcharon-dbgsym", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "strongswan-nm", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "strongswan-nm-dbgsym", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "strongswan-pki", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "strongswan-pki-dbgsym", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "strongswan-scepclient", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "strongswan-scepclient-dbgsym", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "strongswan-starter", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "strongswan-starter-dbgsym", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "strongswan-swanctl", "binary_version": "5.9.5-2ubuntu2.3" }, { "binary_name": "strongswan-swanctl-dbgsym", "binary_version": "5.9.5-2ubuntu2.3" } ] }