Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense 2.6 : CVE-2021-45079 strongswan - Incorrect Handling of Early EAP-Success Messages

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 589 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pete35
      last edited by

      When checking pfsense 2.6 against "pkg audit -F" there is the following output:

      strongswan-5.9.4 is vulnerable:
      strongswan - Incorrect Handling of Early EAP-Success Messages
      CVE: CVE-2021-45079
      WWW: https://vuxml.FreeBSD.org/freebsd/ccaea96b-7dcd-11ec-93df-00224d821998.html

      p7zip-16.02_3 is vulnerable:
      p7zip -- usage of uninitialized memory
      CVE: CVE-2018-10115
      WWW: https://vuxml.FreeBSD.org/freebsd/942fff11-5ac4-11ec-89ea-c85b76ce9b5a.html

      Is there any chance to fix at least the strongswan CVE ?

      <a href="https://carsonlam.ca">bintang88</a>
      <a href="https://carsonlam.ca">slot88</a>

      jimpJ 1 Reply Last reply Reply Quote 1
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate @pete35
        last edited by

        @pete35 said in Pfsense 2.6 : CVE-2021-45079 strongswan - Incorrect Handling of Early EAP-Success Messages:

        When checking pfsense 2.6 against "pkg audit -F" there is the following output:

        strongswan-5.9.4 is vulnerable:
        strongswan - Incorrect Handling of Early EAP-Success Messages
        CVE: CVE-2021-45079
        WWW: https://vuxml.FreeBSD.org/freebsd/ccaea96b-7dcd-11ec-93df-00224d821998.html

        This doesn't affect pfSense software. The statement on this from strongSwan at
        https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).html contains a lot more information.

        The vulnerable code path is only when acting as an EAP only auth client. Currently, the pfSense software GUI only allows configuring strongSwan as an EAP server, not a client.

        p7zip-16.02_3 is vulnerable:
        p7zip -- usage of uninitialized memory
        CVE: CVE-2018-10115
        WWW: https://vuxml.FreeBSD.org/freebsd/942fff11-5ac4-11ec-89ea-c85b76ce9b5a.html

        This is also not relevant to how that package is used on pfSense software. The problem is with the RAR decoder in p7zip, which is not used. The only package which includes p7zip is the OpenVPN client export package and it uses 7z to create self-extracting ZIP archives. It does not decompress RAR.

        Eventually the package repository will include the newer versions of both, but there is no ETA as they are not vulnerable as they are used by pfSense software.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 3
        • P Offline
          pete35
          last edited by

          @jimp
          Thank you for the clarification.

          <a href="https://carsonlam.ca">bintang88</a>
          <a href="https://carsonlam.ca">slot88</a>

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.