An authentication bypass vulnerability was discovered in strongSwan. It can be triggered by rekeying an unestablished IKEv2 SA while it gets actively initiated. All versions since 4.0.7 are affected.
A trusted partner privately reported an authentication bypass vulnerability (CVE-2014-2338) in the strongSwan IKEv2 code. Affected are all strongSwan versions back to 4.0.7, including the latest 5.1.2.
The bug can be triggered by rekeying an unestablished IKE_SA while it gets actively initiated. This allows an attacker to trick the peer's IKE_SA state to established, without the need to provide any valid authentication credentials.
Only installations that actively initiate or re-authenticate IKEv2 IKE_SAs are affected. This means when re-authentication is disabled (reauth=no) or not possible (because of the use of asymmetric EAP or virtual IP exchanges), a connection with auto=add is not exploitable. If re-authentication is enabled and no EAP/virtual IP exchange is in use, an attacker may just wait for the peer to initiate the re-authentication to start its attack.
The issue does not allow remote code execution, nor is IKEv1 affected in charon or pluto.
The just released strongSwan 5.1.3 fixes this vulnerability. For older releases we provide patches that fix the vulnerability and should apply with appropriate hunk offsets.