Pfsense 2.6 : CVE-2021-45079 strongswan - Incorrect Handling of Early EAP-Success Messages
-
When checking pfsense 2.6 against "pkg audit -F" there is the following output:
strongswan-5.9.4 is vulnerable:
strongswan - Incorrect Handling of Early EAP-Success Messages
CVE: CVE-2021-45079
WWW: https://vuxml.FreeBSD.org/freebsd/ccaea96b-7dcd-11ec-93df-00224d821998.htmlp7zip-16.02_3 is vulnerable:
p7zip -- usage of uninitialized memory
CVE: CVE-2018-10115
WWW: https://vuxml.FreeBSD.org/freebsd/942fff11-5ac4-11ec-89ea-c85b76ce9b5a.htmlIs there any chance to fix at least the strongswan CVE ?
-
@pete35 said in Pfsense 2.6 : CVE-2021-45079 strongswan - Incorrect Handling of Early EAP-Success Messages:
When checking pfsense 2.6 against "pkg audit -F" there is the following output:
strongswan-5.9.4 is vulnerable:
strongswan - Incorrect Handling of Early EAP-Success Messages
CVE: CVE-2021-45079
WWW: https://vuxml.FreeBSD.org/freebsd/ccaea96b-7dcd-11ec-93df-00224d821998.htmlThis doesn't affect pfSense software. The statement on this from strongSwan at
https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).html contains a lot more information.The vulnerable code path is only when acting as an EAP only auth client. Currently, the pfSense software GUI only allows configuring strongSwan as an EAP server, not a client.
p7zip-16.02_3 is vulnerable:
p7zip -- usage of uninitialized memory
CVE: CVE-2018-10115
WWW: https://vuxml.FreeBSD.org/freebsd/942fff11-5ac4-11ec-89ea-c85b76ce9b5a.htmlThis is also not relevant to how that package is used on pfSense software. The problem is with the RAR decoder in p7zip, which is not used. The only package which includes p7zip is the OpenVPN client export package and it uses 7z to create self-extracting ZIP archives. It does not decompress RAR.
Eventually the package repository will include the newer versions of both, but there is no ETA as they are not vulnerable as they are used by pfSense software.
-
@jimp
Thank you for the clarification.