Bug 1231178 (CVE-2015-4171)

Alexander E. Patrakov recently reported a vulnerability in strongSwan
that may enable rogue servers to gain user credentials from a client in
certain IKEv2 setups [1]. Affected are all strongSwan versions since
4.3.0 including the latest 5.3.1.

CVE-2015-4171 has been assigned for this vulnerability.

The problem occurs in IKEv2 connections where the server is
authenticated with a certificate and the client authenticates itself
with EAP or pre-shared keys. Any constraints the client has for the
server's authentication (e.g. rightid or rightca) are only enforced
after all authentication rounds are completed successfully. A rogue
server that is able to authenticate itself with a valid certificate
issued by any CA the client trusts, is, therefore, able to trick the
client into continuing its authentication. In case of EAP this causes
the client to reveal its username and password digest, and if it accepts
EAP-GTC it is even possible to force it into sending a plaintext
password. Please refer to the email by Alexander for a practical example:

[1] http://www.openwall.com/lists/oss-security/2015/05/29/6

The attached patches fix the vulnerability in the respective strongSwan
versions and should apply with appropriate hunk offsets.

Statement:

This issue did not affect the versions of strongimcv as shipped with Red Hat Enterprise Linux 7 as they did not include support for IKEv2.