Codenomicon helps fix RSA signature verification vulnerability in strongSwan

Vulnerability in VPN software allows attacker to login as a legitimate user

OULU, FINLAND and SARATOGA, CA, USA, June 12, 2012 -- The Codenomicon Robust Open Source Software (CROSS) team found and reported a critical vulnerability in strongSwan's RSA signature verification. If exploited, this vulnerability allows an attacker to authenticate as a legitimate user by presenting a forged signature and or certificate. The CROSS team reported the vulnerability to CERT-FI, who coordinated the vulnerability handling process with the strongSwan development team.

"When I first saw this vulnerability, it was almost like from the movies. We practically had a master key to log into any VPN system based on strongSwan," said Riku Hietamäki, senior security researcher from Codenomicon.

Operating systems and VPN appliances alike have integrated strongSwan, and it is one of the most popular open source VPN solutions. The found vulnerability is highly critical, exposing systems to zero-day attacks. In order to find this bug, a generation based, fully protocol-aware model-based fuzzer was crucial.

"Codenomicon Defensics is simply superior in fuzzing complex security protocols such as IKE," said Ari Takanen, CTO and co-founder of Codenomicon. "It's important to fuzz-test critical software packages such as VPN daemons that are intended to enhance your security posture, instead of having them weaken it," he continued.

IKE RSA authentication is based on RSA key pairs. In the IKE protocol, a connecting IKE client sends an authentication message, which contains an authentication payload, to an IKE server. The authentication payload is a signature which is calculated using the client's private key. No one else should be able to generate the signature, because nobody else has the client's private key. In this case, the vulnerable code allowed a specifically constructed signature to be handled as a legitimate one. Therefore the private key, which is the central point of the whole Public Key Infrastructure, was not needed to gain access to the IKE server.

The vulnerable code is found in a gmp plugin, which is used for RSA signature verification in many platforms. A connection definition using RSA authentication is required to exploit the vulnerability. Such an attack does not enable injecting code. Both IKEv1 and IKEv2 are affected. As a workaround, the openssl or gcrypt plugin may be used for RSA signature verification. The latest release of strongSwan fixes the security vulnerability (CVE-2012-2388) which exists in all versions from 4.2.0 to 4.6.3. All users of strongSwan are strongly encouraged to upgrade their systems.

While this vulnerability is limited to specific versions of strongSwan, similar defects could exist in other VPN products. All strongSwan users are strongly encouraged to contact Codenomicon to determine if they are vulnerable. Likewise, those using other closed or open source VPN products are urged to contact Codenomicon for instructions on how to assess the systems they are using or developing.

For a test procedure to look for this and other unknown vulnerabilities in your VPN software, please contact Codenomicon at:

More information from strongSwan:

More information on vulnerabilities found using Defensics:

More information regarding CROSS project:

About Codenomicon Ltd

Codenomicon finds security vulnerabilities others can't find. Companies rely on Codenomicon's solutions to discover zero-day vulnerabilities that cause Denial of Service (DoS) and data leakage if exploited by hackers -- the unknown vulnerabilities Advanced Persistent Threats (APTs) use to break into systems. Codenomicon's customers include Alcatel-Lucent, AT&T, Cisco Systems, Microsoft, Motorola, Google, Verizon, Nokia Siemens Networks, Huawei, and T-Systems.