An authentication bypass vulnerability in the eap-mschapv2 plugin was discovered in strongSwan. All versions since 4.2.12 are affected.
We recently discovered an authentication bypass vulnerability in strongSwan's eap-mschapv2 plugin. Affected are all strongSwan versions since 4.2.12, up to and including 5.3.3.
CVE-2015-8023 has been assigned for this vulnerability.
Affected are IKEv2 connections that use EAP-MSCHAPv2 to authenticate clients via our eap-mschapv2 plugin. It doesn't matter if it is used directly (rightauth=eap-mschapv2) or tunneled in EAP-PEAP or EAP-TTLS (rightauth=eap-peap|ttls and phase2_method = mschapv2) or if the eap-dynamic plugin is used (rightauth=eap-dynamic) while the eap-mschapv2 plugin is loaded.
Installations that use RADIUS to provide EAP-MSCHAPv2 authentication to their clients (rightauth=eap-radius) are not affected (provided the RADIUS server's EAP-MSCHAPv2 implementation is correct).
The problem is caused by insufficient verification of the local state in the server implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin. This enables a malicious client to trick the server into successfully concluding the authentication without providing valid credential. In fact, the client can simply send the last message in the EAP-MSCHAPv2 protocol (an empty Success message) as response to the server's initial Challenge message to pass the authentication successfully.
If this happens no EAP MSK (Masster Session Key) is established, which allows detecting such attacks in the server logs. The following message would be seen during the client authentication:
EAP method EAP_MSCHAPV2 succeeded, no MSK established
The just released strongSwan 5.3.4 fixes this vulnerability. For older releases we provide patches that fix the vulnerability in the respective versions and should apply with appropriate hunk offsets.