Researchers Break IPsec VPN Connections with 20-Year-Old Protocol Flaw

The attack targets IKE’s handshake implementation used for IPsec-based VPN connections, opening the door for MiTM attacks or for bad actors to access data carried in VPN sessions.

A new Bleichenbacher oracle cryptographic attack has been set loose on the world, using a 20-year-old protocol flaw to compromise the Internet Key Exchange (IKE) protocol used to secure IP communications.

Specifically, the attack targets IKE’s handshake implementation used for IPsec-based VPN connections. Attackers might be able to use the vulnerability to retrieve IKEv1 session keys and decrypt connections, ultimately opening the door to man-in-the-middle (MitM) attacks or for bad actors to access data carried in VPN sessions.

The consequences could be far-ranging; as is commonly known, VPNs allow employees to securely access a corporate network while they are outside the office. However, they also allow companies to connect their local networks over the public internet, as is the case with the Automotive Network Exchange (ANX), which connects automakers with their suppliers; and in wireless 4G networks, wireless carriers use VPNs to secure the backhaul links between their cell towers and the core network. Dissidents and journalists also use VPNs to circumvent geo-restrictions, hostile surveillance and censorship.

The technique, uncovered by a team of academic researchers from the Ruhr-University Bochum, Germany and the University of Opole, Poland, involves reusing a key pair across different versions and modes of IKE, which can lead to cross-protocol authentication bypass. That allows an attacker to spoof the targeted IPSec endpoint, and to eventually break the encryption mechanism.

“We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA encrypted nonces are used for authentication,” explained the team, in a paper set to be presented at the Usenix Security Symposium this week. “[The attack covers] all available authentication mechanisms of IKE.”

IPsec (Internet Protocol Security) is a protocol stack that protects network packets at the IP layer. But to establish a shared secret for an IPsec connection, the IKE protocol has to be executed. IKE consists of two phases, where Phase 1 is used to establish initial authenticated keying material between two peers. Phase 2 is used to negotiate further derived keys for many different IP-based connections between the two.

The proof-of-concept targets only Phase 1 in IKEv1 and IKEv2, where the attacker impersonates an IKE device.

“Once attackers succeed with this attack on Phase 1, they share a set of (falsely) authenticated symmetric keys with the victim device, and can successfully complete Phase 2 – this holds for both IKEv1 and IKEv2,” the paper detailed.

In IKEv1, four authentication methods are available for Phase 1: Two RSA encryption-based methods, one signature-based method, and a pre-shared key (PSK)-based method.

In IKEv2, Phase 1 omits the encryption-based authentication methods, leaving only signature- and PSK-based authentication methods.

The attacks are based on Bleichenbacher oracles – a 20-year-old protocol threat that has been used through the years to break the confidentiality of TLS when used with RSA encryption. The researchers have now found that these same oracles “can very efficiently be used to decrypt nonces,” which breaks the RSA-encrypted authentication in IKE’s Phase 1.

Also, the paper shows that they can be used to forge digital signatures, which breaks the signature-based authentication in Phase 1; and on the PSK front, offline dictionary attacks are possible, according the researchers, rounding out the protection compromises.

Cisco and Huawei issued patches for the issue yesterday.

For Cisco, the flaw exists in its flagship Internetworking Operating System (IOS), which powers most of its routers and switches, and in its Linux-based offshoot, IOS XE – if the “authentication rsa-encr” option is enabled. Another operating system branch, IOS XR, is used for carrier-grade infrastructure and is not affected.

“The vulnerability exists because the affected software responds incorrectly to decryption failures. An attacker could exploit this vulnerability sending crafted ciphertexts to a device configured with IKEv1 that uses RSA-encrypted nonces,” Cisco explained in its security advisory.

For Huawei’s part, the issue targets IPSec IKEv1 implementations of Huawei Firewall products.

“Remote attackers can decrypt IPSec tunnel ciphertext data by leveraging a Bleichenbacher RSA padding oracle,” the Chinese giant noted in its own advisory. “Successful exploitation of this vulnerability can impact IPSec tunnel security.”

The attack is known to affect IKEv1 implementations by Cisco (CVE-2018-0131), Huawei (CVE-2017-17305), Clavister (CVE-2018-8753, already patched, affecting the Clavister cOS Core) and ZyXEL (CVE-2018-9129, also already patched, affecting all ZyWALL/USG devices).

The academic team previously privately disclosed the problem to the four vendors; however, the paper noted that all versions and variants of the IPsec’s IKE protocol can be broken, if weak PSKs and Bleichenbacher oracles in the IKEv1 PKE and RPKE variants are present – thus, more implementations in major operating systems and network devices could be affected, depending on configuration.

 

Suggested articles

Discussion

  • Caron on

    yeah a user should watch out what are they using, something like nordvpn or surfshark which are build on ikev2
  • Ryan on

    This is a vulnerability in the RSA authentication. Wouldn't that mean its only applicable to IKEv1, and only if you're using RSA authentication? So IKEv2 is fine, and IKEv1 with PSK or Signature auth are also fine?
    • Tara Seals on

      Hi Ryan! According to the researchers' paper, the exploit breaks RSA encryption-based modes, yes -- but also compromises RSA signature-based authentication in both IKEv1 and IKEv2, and they carry out an offline dictionary attack against the PK-based IKE modes, which covers all available authentication mechanisms of IKE. I hope that helps!

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.