oss-sec mailing list archives
Re: StrongSwan VPN client for Android leaks username to rouge server
From: Tobias Brunner <tobias () strongswan org>
Date: Mon, 08 Jun 2015 14:47:52 +0200
Hi Alexander,
I found that, in the event of DNS spoofing, StrongSwan VPN client for Android can leak the username and the MSCHAPv2 authentication value to a rogue server if it has any valid X.509 certificate. Unless I misunderstand something about X.509 certificates and their use for confirming IKEv2 identities, and unless this is already known, this might use a CVE ID.
Thanks for bringing this to our attention. We've just released a fix for this vulnerability [1], which has been registered as CVE-2015-4171. An updated version of the Android app and strongSwan 5.3.2 that both include the fix were also released [2]. Regards, Tobias [1] http://www.strongswan.org/blog/2015/06/08/strongswan-vulnerability-(cve-2015-4171).html [2] http://www.strongswan.org/blog/2015/06/08/strongswan-5.3.2-released.html
Current thread:
- StrongSwan VPN client for Android leaks username to rouge server Alexander E. Patrakov (May 29)
- Re: StrongSwan VPN client for Android leaks username to rouge server Noel Kuntze (May 29)
- Re: StrongSwan VPN client for Android leaks username to rouge server Tobias Brunner (Jun 08)