Wiz
Vulnerability DatabaseCVE-2021-45079

CVE-2021-45079
strongSwan vulnerability analysis and mitigation

Overview

A vulnerability (CVE-2021-45079) was discovered in strongSwan versions from 4.1.2 up to (excluding) 5.9.5. The vulnerability, discovered by Zhuowei Zhang, affects the EAP authentication client implementation where a malicious responder can send an EAP-Success message too early without actually authenticating the client and, in some cases, without server authentication (StrongSwan Blog). The vulnerability was disclosed on January 24, 2022, and received a CVSS v3.1 base score of 9.1 (Critical) (NVD).

Technical details

The vulnerability stems from incorrect handling of early EAP-Success messages in the EAP authentication client code. When receiving an EAP-Success message, the client code incorrectly assumed that an instance of an EAP method would exist and unconditionally called the get_msk() method to retrieve any Master Session Key (MSK). This could lead to a NULL-pointer dereference causing a crash. For non-key-generating EAP methods, the code ignored negative results from the get_msk() call, generating AUTH payloads without MSK even for methods that should be key-generating but were never completed (StrongSwan Blog).

Impact

The vulnerability could result in multiple severe impacts: a denial of service through daemon crashes, bypass of client authentication, and in scenarios using EAP-only authentication, potential bypass of both client and server authentication. In cases where authentication is bypassed, attackers could potentially read unencrypted traffic sent through the VPN tunnel or access hosts behind the client if local traffic selectors included subnets (StrongSwan Blog).

Mitigation and workarounds

The vulnerability was fixed in strongSwan version 5.9.5. Systems not using EAP authentication are not vulnerable. Configurations that don't use EAP-only authentication and require VPN server authentication with a certificate first (such as the Android client and NetworkManager plugin) are also protected, unless using mutual EAP method where AAA server identity/authentication is important. For older releases, patches are available for versions 5.0.1 and newer (StrongSwan Blog).

Additional resources

SourceThis report was generated using AI

Related strongSwan vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2023-41913CRITICAL9.8
  • strongSwanstrongSwan
  • net-vpn/strongswan
NoYesDec 07, 2023
CVE-2023-26463CRITICAL9.8
  • strongSwanstrongSwan
  • strongswan
NoYesApr 15, 2023
CVE-2022-40617HIGH7.5
  • strongSwanstrongSwan
  • cpe:2.3:a:strongswan:strongswan
NoYesOct 31, 2022
CVE-2022-4967MEDIUM6.5
  • strongSwanstrongSwan
  • cpe:2.3:a:strongswan:strongswan
NoYesMay 14, 2024
CVE-2025-62291N/AN/A
  • strongSwanstrongSwan
  • strongswan
NoYesOct 27, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo