ArchLinuxASA-201809-4[ASA-201809-4] strongswan: authentication bypass
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.011 Low
EPSS
Percentile
83.9%
Arch Linux Security Advisory ASA-201809-4
Severity: High
Date : 2018-09-24
CVE-ID : CVE-2018-16151 CVE-2018-16152
Package : strongswan
Type : authentication bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-769
Summary
The package strongswan before version 5.7.0-1 is vulnerable to
authentication bypass.
Resolution
Upgrade to 5.7.0-1.
pacman -Syu “strongswan>=5.7.0-1”
The problems have been fixed upstream in version 5.7.0.
Workaround
If the gmp plugin is loaded, make sure that none of the employed keys
and certificates (including those of CAs) use keys with e = 3.
Strongswan’s tool to generate keys (pki --gen) always used e = 65537
(0x10001), which is not vulnerable, so certificates and keys generated
with this tool are fine for use even with an unpatched gmp plugin.
Description
- CVE-2018-16151 (authentication bypass)
The OID parser allows any number of random bytes after a valid OID for
a PKCS#1.5 signature. The asn1_known_oid() function just parses until
it finds a leaf in the tree of known OIDs, any further data that
follows is simply ignored. And the function that parses ASN.1
algorithmIdentifier structures doesn’t care if the full OID data was
parsed as it usually doesn’t really matter. A missing check to reject
junk and random key parameters allows attackers to carry out a
Bleichenbacher-style attack on low-exponent keys and create forged
signatures.
- CVE-2018-16152 (authentication bypass)
The algorithmIdentifier structure on a PKCS#1.5 signature contains an
optional parameters field. While none of the algorithms used with
PKCS#1 use parameters, i.e. the field should always be encoded as ASN.1
NULL value, the strongswan decoder doesn’t enforce this and simply
skips over the parameters. This allows an attacker to fill the field
with random data which allows to carry out a Bleichenbacher-style
attack on low-exponent keys and forge signatures or create arbitrary CA
certificates.
Impact
An attacker is able to use non-validated fields on a maliciously-
crafted file to forge a signature or a CA certificate.
References
https://wiki.strongswan.org/versions/70
https://github.com/strongswan/strongswan/commit/5955db5b124a1ee5f44c0845b6e00c86fddae67c
https://security.archlinux.org/CVE-2018-16151
https://security.archlinux.org/CVE-2018-16152
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ArchLinux | any | any | strongswan | < 5.7.0-1 | UNKNOWN |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.011 Low
EPSS
Percentile
83.9%