CVE-2018-16151

Source
Severity High
Remote Yes
Type Authentication bypass
Description
The OID parser allows any number of random bytes after a valid OID for a PKCS#1.5 signature. The asn1_known_oid() function just parses until it finds a leaf in the tree of known OIDs, any further data that follows is simply ignored. And the function that parses ASN.1 algorithmIdentifier structures doesn't care if the full OID data was parsed as it usually doesn't really matter. A missing check to reject junk and random key parameters allows attackers to carry out a Bleichenbacher-style attack on low-exponent keys and create forged signatures.
Group Package Affected Fixed Severity Status Ticket
AVG-769 strongswan 5.6.3-1 5.7.0-1 High Fixed
Date Advisory Group Package Severity Description
24 Sep 2018 ASA-201809-4 AVG-769 strongswan High authentication bypass
References
https://github.com/strongswan/strongswan/commit/5955db5b124a1ee5f44c0845b6e00c86fddae67c