strongswan: Multiple vulnerabilities (CVE-2018-16151, CVE-2018-16152) (#9482) · Issues · alpine / aports

strongswan: Multiple vulnerabilities (CVE-2018-16151, CVE-2018-16152)

CVE-2018-16151: In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0,
the RSA implementation based on GMP does not reject excess data after the encoded algorithm OID during PKCS#1 v1.5 signature verification.
Similar to the flaw in the same version of strongSwan regarding digestAlgorithm.parameters, a remote attacker can forge signatures when small
public exponents are being used, which could lead to impersonation when only an RSA signature is used for IKEv2 authentication.

References:

https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
https://nvd.nist.gov/vuln/detail/CVE-2018-16151

Patches:

https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.3.1-5.6.0\_gmp-pkcs1-verify.patch
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.6.1-5.6.3\_gmp-pkcs1-verify.patch

CVE-2018-16152: In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0,
the RSA implementation based on GMP does not reject excess data in the digestAlgorithm.parameters field during PKCS#1 v1.5 signature
verification. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to
impersonation when only an RSA signature is used for IKEv2 authentication.

References:

https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16152

Patches:

(from redmine: issue id 9482, created on 2018-09-27, closed on 2018-10-04)

Relations:
- child #9483 (closed)
- child #9484 (closed)
- child #9485 (closed)
- child #9486 (closed)
- child #9487 (closed)

**CVE-2018-16151**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,  
the RSA implementation based on GMP does not reject excess data after
the encoded algorithm OID during PKCS\#1 v1.5 signature verification.  
Similar to the flaw in the same version of strongSwan regarding
digestAlgorithm.parameters, a remote attacker can forge signatures when
small  
public exponents are being used, which could lead to impersonation when
only an RSA signature is used for IKEv2 authentication.

### References:

https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html  
https://nvd.nist.gov/vuln/detail/CVE-2018-16151

### Patches:

https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.3.1-5.6.0\_gmp-pkcs1-verify.patch  
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.6.1-5.6.3\_gmp-pkcs1-verify.patch

**CVE-2018-16152**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,  
the RSA implementation based on GMP does not reject excess data in the
digestAlgorithm.parameters field during PKCS\#1 v1.5 signature  
verification. Consequently, a remote attacker can forge signatures when
small public exponents are being used, which could lead to  
impersonation when only an RSA signature is used for IKEv2
authentication.

### References:

https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16152

### Patches:

https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.3.1-5.6.0\_gmp-pkcs1-verify.patch  
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.6.1-5.6.3\_gmp-pkcs1-verify.patch

*(from redmine: issue id 9482, created on 2018-09-27, closed on 2018-10-04)*

* Relations:
  * child #9483
  * child #9484
  * child #9485
  * child #9486
  * child #9487

Discussion
Designs