======================================================================
CVE-2026-50722: IKEv2 Denial of Service via RSA-SHA1 (PKCS#1
                 RSASSA-PKCS1-v1_5) authentication payload
======================================================================

This alert (and any updates) are available at the following URLs:
https://libreswan.org/security/CVE-2026-50722

(See also CVE-2026-50721 which is the IKEv1 variant of this bug)

The Libreswan Project was notified of an issue when it receives an
invalidly formatted PKCS#1.5 RSA signature payload that authenticates
the IKE exchange. The vulnerability is similar to CVE-2018-16151.
Use of RSA signatures over certificates during X.509 certificate
verifications of the remote IKE peer are not affected by this
vulnerability.

When the RSA exponent is weak (eg e=3), Bleichenbacher-style signature
forgeries are possible, resulting in an authentication bypass. Note
that most cryptographic library versions and libreswan raw RSA key
generation have not allowed weak exponents for at least a decade,
so valid RSA keys with weak exponents should be very rare.

Additionally, the invalid RSA IKE authentication payload can trigger
an assertion, resulting in libreswan aborting and restarting. Continued
sending of such packets can result in a denial of service.

Severity: Medium
Vulnerable versions : all version up to and including 5.3
Not vulnerable      : 5.3.1 or later

Vulnerability details
=====================
Libreswan (via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa()),
did not correctly verify the DER encoding of the ASN.1 digest when the
IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017).

A remote attacker can use a variation on the Bleichenbacher attack
to forge the AUTH payload when small public exponents are being used,
which could lead to impersonation.

A remote attacker, by encoding a shorter than expected hash in the AUTH
payload, could trigger an assertion leading to denial-of-service.


Exploitation
============
If a server or client will accept RSA based IKEv2 connections via the
default authby= settings, an attacker crash cause the denial of
service, and when weak exponents are in use, cause an authentication
bypass. Remote code execution is not possible.


Workaround
==========
IKEv2 by default allows ECDSA, RSA-SSA-PSS (PSS), and allows RSA PKCS#1:
1.5 as fallback due to Microsoft Windows not supporting RSASSA-PSS. If
Windows support is not needed, one can configure authby=ecdsa or
authby=rsa-sha2 (or both via authby=ecdsa,rsa-sha2) to disallow the
fallback of RSA PKCS#1: 1.5. The leftauth= and rightauth= settings can
be updated similarly if those are in use instead of authby.


History
=======
* 24-03-2026 Libreswan was notified of the issue via security@libreswan.org.
* 16-06-2026 Advanced notice given to supported customers and distributions.
* 24-06-2026 Public announcement and release of libreswan 5.3.1.

Credits
=======
This vulnerability was found and reported by Yeonghyeon Choi and Duyeong Kim
and further code path vulnerabilties were found by Andrew Cagney of the
Libreswan Team.

Upgrading
=========
To address this vulnerability, please upgrade to libreswan 5.3.1 or later.

Patches
=======
For those who cannot upgrade, patches for libreswan 4.15 and 5.3 are
available at: https://libreswan.org/security/CVE-2026-50722/

About libreswan (https://libreswan.org/)
========================================
Libreswan is a free implementation of the Internet Key Exchange (IKE)
protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of
openswan 2.6.38. IKE is used to establish IPsec VPN connections.

IPsec uses strong cryptography to provide both authentication and
encryption services. These services allow you to build secure tunnels
through untrusted networks. Everything passing through the untrusted
network is encrypted by the IPsec gateway machine, and decrypted by
the gateway at the other end of the tunnel. The resulting tunnel is a
virtual private network (VPN).
