[strongSwan] User openssl's PUBKEY_VERIFY instead of gmp's for CVE-2017-11185

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sun Aug 20 16:35:49 CEST 2017



On 20.08.2017 09:49, karthik kumar wrote:
> Hi, 
>    We are trying to mitigate CVE-2017-11185. We use older than 5.6.0 version of strongswan and upgrading will take significant time/effort. 
>
Why don't you patch?

> The vulnerability is while gmp plugin doing signature verification, and I found that the same feature is provided by openssl (and gcrypt) so our plan is to use openssl plugin,
> /
> /
> /OPENSSL is enabled /
> /Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL in plugin 'openssl'/
> /Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1 in plugin 'openssl'/
> /Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224 in plugin 'openssl'/
> /Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256 in plugin 'openssl'/
> /Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384 in plugin 'openssl'/
> /.... <and so on>/
> /
> /
> /GMP/
> Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL in plugin 'gmp'
> Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1 in plugin 'gmp'
> Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224 in plugin 'gmp'
> Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256 in plugin 'gmp'
> Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384 in plugin 'gmp'
> ... <and so on>
>
> I have a couple of questions,
> a. how do I determine if its safe to disable (load = no) the gmp plugin ? I compared all features of GMP listed in the log against openssl plugin features, and all of them are available in Openssl plugin. Is that enough or anything else I should consider checking before turning off gmp plugin ? (i have tested disabling gmp in my local and esp packets are created and sent properly)
>
Your testing is faulty. strongSwan does not send ESP packets or does any traffic processing. It only sets up SAs and SPs. You need to check if the key exchange works.

> b. I tried to increase the priority of openssl (load = 2) plugin. But I can't find a way to verify that signature verification is done by openssl plugin and not gmp plugin. Is there a way I can verify that ? (or rather how do I verify which plugin is executing certain feature when the same feature is provided by two loaded plugins)
>
AFAIK There is no way to check that as of now. The logs mention the order of the plugins when they are loaded, if the logger configuration is correct. You can use the logs to figure out what plugin provides the functionality (it's the one that is loaded first).

> Thanks
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170820/2a33f0a0/attachment-0001.sig>


More information about the Users mailing list