Security Advisories
CLAV-SA-0157 Bleichenbacher Oracle Vulnerability in IKEv1
Back to listAdvisory ID | CLAV-SA-0157 |
Summary | Bleichenbacher Oracle Vulnerability in IKEv1 |
Updated | 2018-08-15 |
First Published | 2018-08-15 |
Impact | Medium |
CVSS URL | https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:W/RC:C |
CVSS Score | 5.9 |
CVEs | |
Affected Products |
|
Introduction
Clavister's implementation of IKEv1 contains an oracle for PKCS#1 validity. An Attacker can determine whether the plain-text with the nonce sent in the third message of the handshake was PKCS#1-valid by examining the error message returned by the firewall.
Detailed Description
Clavister's IKEv1 implementation contains an oracle for PKCS#1 validity. You can determine whether the plain-text with the nonce sent in the third message of the handshake was PKCS#1-valid by examining the error message returned by the firewall. If the error message contains the text "Data length too large for private key to decrypt", then the plain-text was valid (despite the error). If the error message is only 8 bytes long, then the plain-text was invalid.
The researchers implemented and tested an attack against cOS Core version 12.00.06. The attack efficiency has a random component that makes it hard to estimate how long it will take before an attacker can achieve successful decryption. The fastest attack the researchers performed in their test setup took 9400 requests to the firewall and 51 minutes.
The attack works as follows:
- The attacker gets a single cipher-text (e.g. by eavesdropping it)
- The attacker creates new cipher-texts by modifying the original one exploiting some mathematical properties of RSA.
- The new cipher-texts are sent to the server observing its reaction.
- After doing this for thousands of cipher-texts, the attacker can decrypt the original cipher-text without the key.
Due to the timeouts of IKE SAs, the missing configuration options, and the Diffie-Hellman key exchange, it's not possible to attack the IKEv1 handshake with RSA encrypted nonces directly. However, since the gateway certificate of the device may be reused for other purposes, an attacker could e.g. attack the TLS protection of the configuration website of the firewall.
For more details check the researchers blog post linked in the references section of this advisory.
Affected Versions
The following versions are affected by this vulnerability:
- All cOS Core 12.00.xx versions before 12.00.09
- All cOS Core 11.20.xx versions before 11.20.06
- All cOS Core 11.00.xx versions before 11.00.11
- Any older versions of cOS Core with IKEv1 support
Fix Information
RSA authentication was permanently disabled for IKEv1.
Security Patches
The vulnerability was fixed in the following versions:
- cOS Core 12.00.09
- cOS Core 11.20.06
- cOS Core 11.00.11
Updated versions are available for download through My Clavister portal (Link)
References
- https://web-in-security.blogspot.com/2018/08/practical-bleichenbacher-attacks-on-ipsec-ike.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8753
Acknowledgements
Clavister thanks the following researchers for their responsible disclosure and continuous assistance during the vulnerability triage process:
- Dennis Felsch (Ruhr-University Bochum)
- Martin Grothe (Ruhr-University Bochum)
- Jörg Schwenk (Ruhr-University Bochum)
- Adam Czubak (University of Opole)
- Marcin Szymanek (University of Opole)
Contact
- E-mail: <security@clavister.com>
- PGP: id 8813E86F, fingerprint A91407250F753C1D27263A7EBE9E30498813E86F
- WWW: Tickets can also be created through https://www.clavister.com/