-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Release date: Monday Jun 10, 2019 Contact: team@libreswan.org PGP key: 907E790F25C1E8E561CD73B585FF4B43B30FC6F9 CVE-2019-10155: IKEv1 Informational exchange integrity check failure This alert (and any possible updates) is available at the following URLs: https://libreswan.org/security/CVE-2019-10155/ The Libreswan Project has found a vulnerability in its processing IKEv1 informational exchange packets. These packets are encrypted and integrity protected using the established IKE SA encryption and integrity keys, but as a receiver, the integrity check value (ICV) was not verified for IKEv1 Informational Exchange packets. The code containing the vulnerability is also present in openswan and older strongswan releases. The impact of this vulnerability is low, as it cannot be exploited. (for libreswan; for strongswan and openswan see below) Vulnerable versions: libreswan < 3.29 strongswan < 5.0 openswan - all versions (as of writing: 2.6.51.3) Not vulnerable: libreswan 3.29 and later, strongswan 5.0 and later, freeswan Vulnerability information ========================= IKEv1 informational packets are not integrity checked. As these packets are encrypted under the negotiated IKE SA's encryption key, the impact of this is very limited. An attacker would have no access to the encryption key, meaning an on-path attacker can at best send mangled messages that would be processed for decryption, but these messages once decrypted would result in nonsense data that would be rejected as an invalid IKE packet. Even if the attacker somehow managed to accidentally forge an encrypted message that would decrypt in a valid IKE packet (or if it would otherwise obtain the encryption key of the IKE session), the damage it can do is limited, as the IKEv1 informational exchange is only used for two type of messages: Dead Peer Detection (DPD) messages and Delete/Notify messages terminating IPsec and IKE SA's. Since the attacker needs to be on-path for this attack, it is much easier for the attacker to filter the packets to accomplish the same thing. An IKE point that required a connection to be established, would also re-establish a connection that is brought down by a Notify/Delete message. As such, the impact is deemed low. Exploitation ============ There is no known method for exploiting this vulnerability for libreswan. Due to the missing the integrity check, a concern was investigated to see if the vulnerability could be used as an oracle to attack the IKE SA encryption key. Due to the way libreswan has implemented encryption, using the NSS crypto library, no RSA padding attacks are possible. While it would be possible to determine the unencrypted message length, this information yields no useful information to an attacker. For strongswan, no versions have been vulnerable since 2012, when the shared vulnerable code was replaced by a new IKEv1 implementation that is not vulnerable. Those old versions would be vulnerable to the openswan RSA oracle attack as well. For openswan versions before v2.6.51.3 (released March 2019) that are not compiled to use the NSS crypto library, there is a risk these versions are vulnerable to an RSA oracle attack that could yield the IKE SA encryption key. While older versions of Red Hat Enterprise Linux (RHEL) used to support openswan, these are not vulnerable to an RSA oracle attack as these versions used the NSS crypto library. All current versions of RHEL now use libreswan and cannot be exploited. If still using openswan, please consult your vendor or upgrade to libreswan. Workaround ========== A possible workaround is to reconfigure IKEv1 connections to use IKEv2, using the keyword ikev2=insist. However, this must be supported and allowed by the IKE peer as well. History ======= All vulnerable versions listed above, inherited the vulnerable code from the patched freeswan codebase known at the time as "super-freeswan". Freeswan itself never supported any Informational Exchange message. Strongswan and openswan are forks of "super-freeswan", and libreswan is a fork/continuation of openswan-2.6.38. Strongswan removed the "super-freeswan" inherited code in version 5.0.0. Credits ======= This vulnerability was found by the Libreswan Project About libreswan (https://libreswan.org/) ======================================== Libreswan is a free implementation of the Internet Key Exchange (IKE) protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of openswan 2.6.38. IKE is used to establish IPsec VPN connections. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN). Upgrading ========= To address this vulnerability, please upgrade to libreswan 3.29. For those who cannot upgrade to 3.29, the URL above contains a minimal patch that can be used to patch older libreswan releases, and possibly can be used as a basis for an openswan patch. ====================================================================== -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAlz5S3cTHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+S2aD/488uv1PwyTjs0nxNJTpWe9cdeWWOB5 r+fvqhSUd+/ZwBEfjXLOL4y09a77FlUU0S3SiBt2E3AD9M5r1adMBv+ClcwOhgCO GtRu7UY87cwV5N0mRIoDCEkzG8g3+A/0CdWzNvErPy4Lr8+l224XNOqZKB+SOAtR QHnvqkIzO+feK6uA5ZJ/E4FW6bLtE7xBu9pIPtDLpmOcceOAICQiABhmb3AAhPyH TZEGf2HcM2t/rNnfgscXTiJDbHxI2oc7PBRoUuCBUefM1U3nIe7E0BM1HarQNvs2 2tyhqfFNXkOlAUj3opnODhVZ4bP8CV5/volAQwmaQGG7g1uoNpBMJtdw57JdzvsX /+QulL5J2UbFIx2fgvgN8C3DKOuOsAm4Aqyp2PFXPBz1eStciihIsNzjsUHPBmG3 91WZNYHKD/AQm9aLoXlUBkKzpBZTWn9ocyd7eK3hLo59QkzInlS/em3gtyFzye+E 64SmzqS85CfUw29xL72Rp8iy+aCWdd6jJy1Idaekpq39z/QTgppxvoFMb3XJ8sBF H0EH+tBO05IhR2QsDT5YW13/D7U9JdmElmBvTfZVC3xbI2yQQvmnKgC8mRx7/tvC RMXW1vqwzohS4BXJ1iyLUn3Ws+d3qyRBQxIYgwjCu1sTCWkZfdF1WfqE8rY5P6oG +SY9RHoVs1y+Bw== =oIA6 -----END PGP SIGNATURE-----