Security Advisories

CLAV-SA-0157 Bleichenbacher Oracle Vulnerability in IKEv1

Back to list
Advisory ID CLAV-SA-0157
Summary Bleichenbacher Oracle Vulnerability in IKEv1
Updated 2018-08-15
First Published 2018-08-15
Impact   Medium
CVSS URL https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:W/RC:C
CVSS Score 5.9
CVEs
Affected Products
  • cOS Core

 

Introduction

Clavister's implementation of IKEv1 contains an oracle for PKCS#1 validity. An Attacker can determine whether the plain-text with the nonce sent in the third message of the handshake was PKCS#1-valid by examining the error message returned by the firewall.

Detailed Description

Clavister's IKEv1 implementation contains an oracle for PKCS#1 validity. You can determine whether the plain-text with the nonce sent in the third message of the handshake was PKCS#1-valid by examining the error message returned by the firewall. If the error message contains the text "Data length too large for private key to decrypt", then the plain-text was valid (despite the error). If the error message is only 8 bytes long, then the plain-text was invalid.

The researchers implemented and tested an attack against cOS Core version 12.00.06. The attack efficiency has a random component that makes it hard to estimate how long it will take before an attacker can achieve successful decryption. The fastest attack the researchers performed in their test setup took 9400 requests to the firewall and 51 minutes.

The attack works as follows: 

  1. The attacker gets a single cipher-text (e.g. by eavesdropping it) 
  2. The attacker creates new cipher-texts by modifying the original one exploiting some mathematical properties of RSA. 
  3. The new cipher-texts are sent to the server observing its reaction. 
  4. After doing this for thousands of cipher-texts, the attacker can decrypt the original cipher-text without the key.

Due to the timeouts of IKE SAs, the missing configuration options, and the Diffie-Hellman key exchange, it's not possible to attack the IKEv1 handshake with RSA encrypted nonces directly. However, since the gateway certificate of the device may be reused for other purposes, an attacker could e.g. attack the TLS protection of the configuration website of the firewall.

For more details check the researchers blog post linked in the references section of this advisory.

Affected Versions

The following versions are affected by this vulnerability:

  1. All cOS Core 12.00.xx versions before 12.00.09 
  2. All cOS Core 11.20.xx versions before 11.20.06
  3. All cOS Core 11.00.xx versions before 11.00.11
  4. Any older versions of cOS Core with IKEv1 support

Fix Information

RSA authentication was permanently disabled for IKEv1.

Security Patches

The vulnerability was fixed in the following versions:

  1. cOS Core 12.00.09
  2. cOS Core 11.20.06
  3. cOS Core 11.00.11

Updated versions are available for download through My Clavister portal (Link)

References

Acknowledgements

Clavister thanks the following researchers for their responsible disclosure and continuous assistance during the vulnerability triage process:

  • Dennis Felsch (Ruhr-University Bochum)
  • Martin Grothe (Ruhr-University Bochum)
  • Jörg Schwenk (Ruhr-University Bochum)
  • Adam Czubak (University of Opole)
  • Marcin Szymanek (University of Opole)

Contact