Arch Linux Security Advisory ASA-201809-4 ========================================= Severity: High Date : 2018-09-24 CVE-ID : CVE-2018-16151 CVE-2018-16152 Package : strongswan Type : authentication bypass Remote : Yes Link : https://security.archlinux.org/AVG-769 Summary ======= The package strongswan before version 5.7.0-1 is vulnerable to authentication bypass. Resolution ========== Upgrade to 5.7.0-1. # pacman -Syu "strongswan>=5.7.0-1" The problems have been fixed upstream in version 5.7.0. Workaround ========== If the gmp plugin is loaded, make sure that none of the employed keys and certificates (including those of CAs) use keys with e = 3. Strongswan's tool to generate keys (pki --gen) always used e = 65537 (0x10001), which is not vulnerable, so certificates and keys generated with this tool are fine for use even with an unpatched gmp plugin. Description =========== - CVE-2018-16151 (authentication bypass) The OID parser allows any number of random bytes after a valid OID for a PKCS#1.5 signature. The asn1_known_oid() function just parses until it finds a leaf in the tree of known OIDs, any further data that follows is simply ignored. And the function that parses ASN.1 algorithmIdentifier structures doesn't care if the full OID data was parsed as it usually doesn't really matter. A missing check to reject junk and random key parameters allows attackers to carry out a Bleichenbacher-style attack on low-exponent keys and create forged signatures. - CVE-2018-16152 (authentication bypass) The algorithmIdentifier structure on a PKCS#1.5 signature contains an optional parameters field. While none of the algorithms used with PKCS#1 use parameters, i.e. the field should always be encoded as ASN.1 NULL value, the strongswan decoder doesn't enforce this and simply skips over the parameters. This allows an attacker to fill the field with random data which allows to carry out a Bleichenbacher-style attack on low-exponent keys and forge signatures or create arbitrary CA certificates. Impact ====== An attacker is able to use non-validated fields on a maliciously- crafted file to forge a signature or a CA certificate. References ========== https://wiki.strongswan.org/versions/70 https://github.com/strongswan/strongswan/commit/5955db5b124a1ee5f44c0845b6e00c86fddae67c https://security.archlinux.org/CVE-2018-16151 https://security.archlinux.org/CVE-2018-16152