Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 08 Jun 2015 14:47:52 +0200
From: Tobias Brunner <tobias@...ongswan.org>
To: "Alexander E. Patrakov" <patrakov@...il.com>
CC: oss-security@...ts.openwall.com
Subject: Re: StrongSwan VPN client for Android leaks username to rouge server

Hi Alexander,

> I found that, in the event of DNS spoofing, StrongSwan VPN client for 
> Android can leak the username and the MSCHAPv2 authentication value to a 
> rogue server if it has any valid X.509 certificate. Unless I 
> misunderstand something about X.509 certificates and their use for 
> confirming IKEv2 identities, and unless this is already known, this 
> might use a CVE ID.

Thanks for bringing this to our attention.  We've just released a fix
for this vulnerability [1], which has been registered as CVE-2015-4171.

An updated version of the Android app and strongSwan 5.3.2 that both
include the fix were also released [2].

Regards,
Tobias

[1] http://www.strongswan.org/blog/2015/06/08/strongswan-vulnerability-(cve-2015-4171).html
[2] http://www.strongswan.org/blog/2015/06/08/strongswan-5.3.2-released.html

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ