Hi,
after reading the paper I still don’t understand why authors mentioned IKEv2 there. Their example attack in Section 4.4 on (allegedly) IKEv2 in fact uses secondary responder supporting IKEv1 Public Key Encryption mode, without which the attack is impossible (as far as I understand). So, in my opinion, the authors are at least not accurate in claiming that IKEv2 itself is susceptible. Or am I missing something? Regards, Valery. From: IPsec [mailto:[email protected]] On Behalf Of Paul Wouters Sent: Tuesday, August 14, 2018 1:21 AM To: [email protected] Subject: [IPsec] Fwd: [Security] Cisco Patches Its Operating Systems Against New IKE Crypto Attack FYI, https://www.ei.rub.de/media/nds/veroeffentlichungen/2018/08/13/sec18-felsch.pdf Sent from my phone Begin forwarded message: https://www.bleepingcomputer.com/news/security/cisco-patches-its-operating-systems-against-new-ike-crypto-attack/ Cisco Patches Its Operating Systems Against New IKE Crypto Attack <https://www.bleepingcomputer.com/author/catalin-cimpanu/> Catalin Cimpanu Cisco logo <https://www.bleepstatic.com/content/hl-images/2018/02/08/Cisco-logo.jpg> Cisco, one of the world's largest vendor of networking equipment, released security updates today to patch a vulnerability in the IOS and IOS XE operating systems that run the vast majority of its devices. The vulnerability is tracked as CVE-2018-0131 and is one of four CVE identifiers for a new Bleichenbacher oracle cryptographic attack against the <https://en.wikipedia.org/wiki/Internet_Key_Exchange> IKE (Internet Key Exchange) protocol. Patches address new cryptographic attack This new attack is described is a recently published research paper entitled " <https://www.ei.rub.de/media/nds/veroeffentlichungen/2018/08/13/sec18-felsch.pdf> The Dangers of Key Reuse: Practical Attacks on IPsec IKE," set to be presented at the 27th Usenix Security Symposium later this week in Baltimore, USA. From the paper's abstract: In this paper, we show that reusing a key pair across different versions and modes of IKE can lead to cross-protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers. We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA encrypted nonces are used for authentication. Using this exploit, we break these RSA encryption based modes, and in addition break RSA signature based authentication in both IKEv1 and IKEv2. Additionally, we describe an offline dictionary attack against the PSK (Pre-Shared Key) based IKE modes, thus covering all available authentication mechanisms of IKE. Researchers say their attack works against the IKEv1 implementations of Cisco (CVE-2018-0131), Huawei (CVE-2017-17305), Clavister (CVE-2018-8753), and ZyXEL (CVE-2018-9129). The research team, made up of three academics from the Ruhr-University Bochum, Germany and two from the University of Opole, Poland, say they notified vendors that had products vulnerable to this attack. "All vendors published fixes or removed the particular authentication method from their devices’ firmwares in response to our reports," researchers said. Cisco IOS and IOS XE affected, but not IOS XR Cisco was by far the biggest vendor affected by this flaw, and the hardest hit. CVE-2018-0131 affects the company's main product, the IOS (Internetworking Operating System), and its Linux-based offshoot, IOS XE. The IOS XR operating system, which runs on a different codebase and is used mainly for carrier-grade routers, is not affected. Cisco released patches today for both OSes. The company says that any IOS and IOS XE device that's configured with the "authentication rsa-encr" option is vulnerable. Attackers can recover VPN sessions According to Cisco, this flaw "could allow an unauthenticated, remote attacker to obtain the encrypted nonces of an Internet Key Exchange Version 1 (IKEv1) session." "The vulnerability exists because the affected software responds incorrectly to decryption failures. An attacker could exploit this vulnerability sending crafted ciphertexts to a device configured with IKEv1 that uses RSA-encrypted nonces," Cisco said in a <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180813-rsa-nonce> security advisory. An attacker that has the ability to recover IKEv1 nonces can recover data sent via <https://en.wikipedia.org/wiki/IPsec> IPsec, the protocol at the base of most VPN traffic. With this in mind, applying the Cisco patches is highly recommended. Related Articles: <https://www.bleepingcomputer.com/offer/deals/get-66-percent-off-protonvpn-plus-subscriptions-deal/> Get 66% off ProtonVPN Plus Subscriptions Deal <https://www.bleepingcomputer.com/news/security/dns-leak-fixed-in-kaspersky-vpn-app-for-android/> DNS Leak Fixed in Kaspersky VPN App for Android <https://www.bleepingcomputer.com/news/government/study-law-enforcement-need-technical-skills-not-backdoors/> Study: Law Enforcement Need Technical Skills, Not Backdoors <https://www.bleepingcomputer.com/news/government/dod-to-move-all-websites-to-https-by-the-end-of-the-year/> DOD to Move All Websites to HTTPS by the End of the Year <https://www.bleepingcomputer.com/news/security/many-bluetooth-implementations-and-os-drivers-affected-by-crypto-bug/> Many Bluetooth Implementations and OS Drivers Affected by Crypto Bug Sent from my phone _______________________________________________ Security mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/security
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
