[ASA-201809-4] strongswan: authentication bypass

Jelle van der Waa jelle at archlinux.org
Tue Sep 25 14:40:16 UTC 2018


Arch Linux Security Advisory ASA-201809-4
=========================================

Severity: High
Date    : 2018-09-24
CVE-ID  : CVE-2018-16151 CVE-2018-16152
Package : strongswan
Type    : authentication bypass
Remote  : Yes
Link    : https://security.archlinux.org/AVG-769

Summary
=======

The package strongswan before version 5.7.0-1 is vulnerable to
authentication bypass.

Resolution
==========

Upgrade to 5.7.0-1.

# pacman -Syu "strongswan>=5.7.0-1"

The problems have been fixed upstream in version 5.7.0.

Workaround
==========

If the gmp plugin is loaded, make sure that none of the employed keys
and certificates (including those of CAs) use keys with e = 3.
Strongswan's tool to generate keys (pki --gen) always used e = 65537
(0x10001), which is not vulnerable, so certificates and keys generated
with this tool are fine for use even with an unpatched gmp plugin.

Description
===========

- CVE-2018-16151 (authentication bypass)

The OID parser allows any number of random bytes after a valid OID for
a PKCS#1.5 signature. The asn1_known_oid() function just parses until
it finds a leaf in the tree of known OIDs, any further data that
follows is simply ignored. And the function that parses ASN.1
algorithmIdentifier structures doesn't care if the full OID data was
parsed as it usually doesn't really matter. A missing check to reject
junk and random key parameters allows attackers to carry out a
Bleichenbacher-style attack on low-exponent keys and create forged
signatures.

- CVE-2018-16152 (authentication bypass)

The algorithmIdentifier structure on a PKCS#1.5 signature contains an
optional parameters field. While none of the algorithms used with
PKCS#1 use parameters, i.e. the field should always be encoded as ASN.1
NULL value, the strongswan decoder doesn't enforce this and simply
skips over the parameters. This allows an attacker to fill the field
with random data which allows to carry out a Bleichenbacher-style
attack on low-exponent keys and forge signatures or create arbitrary CA
certificates.

Impact
======

An attacker is able to use non-validated fields on a maliciously-
crafted file to forge a signature or a CA certificate.

References
==========

https://wiki.strongswan.org/versions/70
https://github.com/strongswan/strongswan/commit/5955db5b124a1ee5f44c0845b6e00c86fddae67c
https://security.archlinux.org/CVE-2018-16151
https://security.archlinux.org/CVE-2018-16152
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20180925/da1ae279/attachment.asc>


More information about the arch-security mailing list