[strongSwan-dev] [strongSwan] strongSwan RSA signature vulnerability

[Thomas Jarosch]

Hi,

On Thursday, 31. May 2012 17:23:43 Martin Willi wrote:
> To exploit the vulnerability, a connection definition using RSA
> authentication is required. An attacker presenting a forged signature
> and/or certificate can authenticate as any legitimate user. strongSwan
> version back to 4.2.0 and up to 4.6.3 are affected, using both IKEv1 and
> IKEv2. Injecting code is not possible by such an attack.

I think one little detail is worth mentioning: You have to know the
(public) details of the certificate in order to forge it.

In the worst case the attacker already has ways of sniffing your traffic
or knows how to redirect the client traffic (f.e. DNS poisioning).
Then it's easy to read out the certificate details.

Otherwise he needs to look at the certificates returned by strongswan
and try to guess a pattern for the IPSEC id.

If that succeeded, he still needs to get the IP addresses in phase 2 right.
So if the connection is not configured by modeconfig, it's another round of 
guess work.

Since this requires a lot of manual labor, it's unlikely that this can be 
exploited by an automated system (=spam bot net).
It's more dangerous for a dedicated attack.

Please correct me if I'm wrong :)

Thomas