CVE-2021-45079

moderate-risk

Published 2022-01-31

In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.

Do I need to act?

0.11% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.1/10 Critical

NETWORK / LOW complexity

Affected Products (14)

Strongswan

Debian Linux

Extra Packages For Enterprise Linux

Fedora

Ubuntu Linux

Affected Vendors

Debian Strongswan Canonical Fedoraproject

References (2)

https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-%28cve-2021-...

/ 100

moderate-risk

Severity 31/34 · Critical

Exploitability 0/34 · Minimal

Exposure 18/34 · Moderate