CVE-2021-45079
📋 TL;DR
This vulnerability in strongSwan allows a malicious VPN responder to bypass authentication by sending an EAP-Success message prematurely. Attackers can establish unauthorized VPN connections without proper client or server authentication. This affects strongSwan IKEv2 implementations using EAP-only authentication with mutual authentication methods.
💻 Affected Systems
- strongSwan
📦 What is this software?
Extra Packages For Enterprise Linux by Fedoraproject
View all CVEs affecting Extra Packages For Enterprise Linux →
Extra Packages For Enterprise Linux by Fedoraproject
View all CVEs affecting Extra Packages For Enterprise Linux →
Extra Packages For Enterprise Linux by Fedoraproject
View all CVEs affecting Extra Packages For Enterprise Linux →
Fedora by Fedoraproject
Fedora by Fedoraproject
Strongswan by Strongswan
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete VPN authentication bypass allowing unauthorized network access, potential lateral movement, and data exfiltration.
Likely Case
Unauthorized VPN access leading to network infiltration and credential harvesting.
If Mitigated
Limited impact with proper network segmentation and monitoring detecting anomalous VPN connections.
🎯 Exploit Status
Exploitation requires network access to VPN responder and knowledge of vulnerable configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.9.5 and later
Vendor Advisory: https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).html
Restart Required: Yes
Instructions:
1. Update strongSwan to version 5.9.5 or later. 2. Restart strongSwan services. 3. Verify configuration compatibility with new version.
🔧 Temporary Workarounds
Disable EAP-only authentication
linuxConfigure strongSwan to use certificate-based authentication instead of EAP-only authentication.
Modify ipsec.conf to use authby=pubkey instead of EAP-only configurations
Network segmentation
linuxRestrict access to VPN endpoints using firewall rules.
iptables -A INPUT -p udp --dport 500 -s trusted_networks -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit VPN endpoint exposure
- Enable detailed VPN connection logging and monitor for authentication anomalies
🔍 How to Verify
Check if Vulnerable:
Check strongSwan version: strongswan --version. If version is below 5.9.5 and using IKEv2 EAP-only authentication, system is vulnerable.Check Version:
strongswan --versionVerify Fix Applied:
Verify version is 5.9.5 or higher: strongswan --version. Test VPN connections with mutual authentication requirements.📡 Detection & Monitoring
Log Indicators:
- EAP-Success messages without preceding proper authentication
- VPN connections from unexpected sources
- Authentication sequence anomalies
Network Indicators:
- IKEv2 handshakes completing unusually quickly
- VPN traffic from unauthenticated endpoints
SIEM Query:
source="strongswan" AND ("EAP-Success" OR "authentication bypass")