oss-sec mailing list archives

Re: StrongSwan VPN client for Android leaks username to rouge server

From: Tobias Brunner <tobias () strongswan org>
Date: Mon, 08 Jun 2015 14:47:52 +0200

Hi Alexander,

I found that, in the event of DNS spoofing, StrongSwan VPN client for 
Android can leak the username and the MSCHAPv2 authentication value to a 
rogue server if it has any valid X.509 certificate. Unless I 
misunderstand something about X.509 certificates and their use for 
confirming IKEv2 identities, and unless this is already known, this 
might use a CVE ID.


Thanks for bringing this to our attention.  We've just released a fix
for this vulnerability [1], which has been registered as CVE-2015-4171.

An updated version of the Android app and strongSwan 5.3.2 that both
include the fix were also released [2].

Regards,
Tobias

[1] http://www.strongswan.org/blog/2015/06/08/strongswan-vulnerability-(cve-2015-4171).html
[2] http://www.strongswan.org/blog/2015/06/08/strongswan-5.3.2-released.html

Current thread:

StrongSwan VPN client for Android leaks username to rouge server Alexander E. Patrakov (May 29)
- Re: StrongSwan VPN client for Android leaks username to rouge server Noel Kuntze (May 29)
- Re: StrongSwan VPN client for Android leaks username to rouge server Tobias Brunner (Jun 08)