CVE-2018-16152

Source
Severity High
Remote Yes
Type Authentication bypass
Description
The algorithmIdentifier structure on a PKCS#1.5 signature contains an optional parameters field. While none of the algorithms used with PKCS#1 use parameters, i.e. the field should always be encoded as ASN.1 NULL value, the strongswan decoder doesn't enforce this and simply skips over the parameters. This allows an attacker to fill the field with random data which allows to carry out a Bleichenbacher-style attack on low-exponent keys and forge signatures or create arbitrary CA certificates.
Group Package Affected Fixed Severity Status Ticket
AVG-769 strongswan 5.6.3-1 5.7.0-1 High Fixed
Date Advisory Group Package Severity Description
24 Sep 2018 ASA-201809-4 AVG-769 strongswan High authentication bypass
References
https://github.com/strongswan/strongswan/commit/5955db5b124a1ee5f44c0845b6e00c86fddae67c