An information leak vulnerability that affects certain IKEv2 setups was discovered in strongSwan. All versions since 4.3.0 are affected.
Alexander E. Patrakov recently reported a vulnerability in strongSwan that may enable rogue servers to obtain user credentials from a client in certain IKEv2 setups. Affected are all strongSwan versions since 4.3.0, up to 5.3.1.
CVE-2015-4171 has been assigned for this vulnerability.
The problem occurs in IKEv2 connections where the server is authenticated with a certificate and the client authenticates itself with EAP or pre-shared keys. Any constraints the client has for the server's authentication (e.g. rightid or rightca) are only enforced after all authentication rounds are completed successfully. A rogue server that is able to authenticate itself with a valid certificate issued by any CA the client trusts is, therefore, able to trick the client into continuing its authentication. In case of EAP this causes the client to reveal its username and password digest, and if it accepts EAP-GTC it is even possible to force it into sending a plaintext password. Please refer to the email by Alexander for a practical example.
The just released strongSwan 5.3.2 fixes this vulnerability. For older releases we provide patches that fix the vulnerability in the respective versions and should apply with appropriate hunk offsets.
For Android an updated version of our app was pushed to the store and should be available in a few hours.