========================================================================
CVE-2026-50721: IKEv1 Denial of Service via RSA-SHA1 (PKCS#1 Version 1.5
                 Encrypted) authentication payload
========================================================================

This alert (and any updates) are available at the following URLs:
https://libreswan.org/security/CVE-2026-50721

(See also CVE-2026-50722 which is the IKEv2 variant of this bug)

The Libreswan Project was notified of an issue when it receives an
invalidly formatted PKCS#1.5 RSA signature payload that authenticates
the IKE exchange. The vulnerability is similar to CVE-2018-16151.
Use of RSA signatures over certificates during X.509 certificate
verifications of the remote IKE peer are not affected by this
vulnerability.

When the RSA exponent is weak (eg e=3), Bleichenbacher-style signature
forgeries are possible, resulting in an authentication bypass. Note
that most cryptographic library versions and libreswan raw RSA key
generation have not allowed weak exponents for at least a decade,
so valid RSA keys with weak exponents should be very rare.

Additionally, the invalid RSA IKE authentication payload can trigger
an assertion, resulting in libreswan aborting and restarting. Continued
sending of such packets can result in a denial of service.

Severity: Medium
Vulnerable versions : all version up to and including 5.3
Not vulnerable      : 5.3.1 or later

Vulnerability details
=====================
Libreswan (via the function RSA_authenticate_hash_signature_raw_rsa()),
did not correctly verify the length of the authentication hash when
the SIG payload of an IKEv1 packet that was encoded using PKCS #1 RSA
Encryption as per RFC 2313.

A remote attacker can use a variation on the Bleichenbacher attack to
forge the SIG payload when small public exponents are being used,
which could lead to impersonation.

A remote attacker, by encoding a shorter than expected hash in the SIG
payload, could trigger an assertion leading to denial-of-service.


Exploitation
============
If a server or client will accept RSA based IKEv1 connections via the
default authby=rsasig option, an attacker crash cause the denial of
service, and when weak exponents are in use, cause an authentication
bypass. Remote code execution is not possible.


Workaround
==========
IKEv1 only supports RSA-SHA1 (PKCS#1 Version 1.5) with public key
authentication. In IKEv2, this can be disabled so if the IKEv1 connection
can be migrated to IKEv2, that can be a workaround. Additionally, if
the configuration is for static tunnels, and not for a group of Remote
Access VPN Clients, the authentication can be changed to use PSK via
authby=secret after coordination with the remote peer.

History
=======
* 24-03-2026 Libreswan was notified of the issue via security@libreswan.org.
* 16-06-2026 Advanced notice given to supported customers and distributions.
* 24-06-2026 Public announcement and release of libreswan 5.3.1

Credits
=======
This vulnerability was found and reported by Yeonghyeon Choi and Duyeong Kim
and further code path vulnerabilties were found by Andrew Cagney of the
Libreswan Team.

Upgrading
=========
To address this vulnerability, please upgrade to libreswan 5.3.1 or later.

Patches
=======
For those who cannot upgrade, patches for libreswan 4.15 and 5.3 are
available at: https://libreswan.org/security/CVE-2026-50721/

About libreswan (https://libreswan.org/)
========================================
Libreswan is a free implementation of the Internet Key Exchange (IKE)
protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of
openswan 2.6.38. IKE is used to establish IPsec VPN connections.

IPsec uses strong cryptography to provide both authentication and
encryption services. These services allow you to build secure tunnels
through untrusted networks. Everything passing through the untrusted
network is encrypted by the IPsec gateway machine, and decrypted by
the gateway at the other end of the tunnel. The resulting tunnel is a
virtual private network (VPN).
