Xelerance Openswan IKEv2 Signature Verification Vulnerability [CVE-2018-15836]
CVE Number – CVE-2018-15836
A vulnerability in the Internet Key Exchange version 2 (IKEv2) signature verification feature of Xelerance Openswan could allow an unauthenticated, remote attacker to conduct a Bleichenbacher-style signature forgery attack on a targeted system.
The vulnerability is due to improper IKEv2 signature verification by the affected software when raw Rivest, Shamir, and Adleman (RSA) keys are used. An attacker could exploit this vulnerability by conducting an RSA padding attack on a targeted system. A successful exploit could allow the attacker to forge a Public-Key Cryptography Standard #1 (PKCS #1) version 1.5 signature, which could aid an attacker in conducting further attacks.
Xelerance confirmed the vulnerability and released software updates.
-
To exploit this vulnerability, the attacker may need access to trusted, internal networks in which the targeted system may reside. This access requirement may reduce the likelihood of a successful exploit.
-
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators can help protect affected systems from external attacks by using a solid firewall strategy.
Administrators are advised to monitor affected systems.
-
Xelerance released a security announcement at the following link: CVE-2018-15836
-
Xelerance released software updates at the following link: Openswan 2.6.50.1
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.