Описание
The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline dictionary or brute force attacks. For the main mode, however, only an online attack against PSK authentication was thought to be feasible. This vulnerability could allow an attacker to recover a weak Pre-Shared Key or enable the impersonation of a victim host or network.
It was found that IKEv1 (and potentially IKEv2) authentication when using a pre-shared key (PSK) is vulnerable to offline dictionary attacks in Main Mode as well as in Aggressive Mode. A man-in-the-middle attacker who intercepted the handshake of two peers authenticating with a PSK, could apply a brute-force attack to recover the shared secret.
Отчет
PSK based authentication should only be used when the randomness and confidentially of the shared secret can be guaranteed. PSKs should also not be used as Group Secrets, where the security of the PSK is only as strong as the weakest participant in the group. Public Key or EAP authentication methods should be used whenever possible. If PSK must be used, it is essential to ensure the shared secret has a high degree of randomness and is not derived from a password with low entropy, as specified clearly in the IKEv2 specification in RFC 7296. To use passwords for authentication of IKE/IPsec peers, the IKEv2 protocol supports various methods that are not based on (inherently weak) PSKs and which are not vulnerable to offline dictionary attacks: RFC 5998: EAP-Only Authentication in IKEv2 RFC 6617: Secure Pre-Shared Key (PSK) Authentication for IKE RFC 6631: Password Authenticated Connection Establishment with IKEv2 RFC 6628: Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2 As implementations supporting IKE assume the security of provided PSKs, and no mechanism within the protocol allows for password-stretching, we do not anticipate any software fixes becoming available. The research paper that describes the problems of using weak PSKs also listed another security issue with respect to RSA keys that has different CVE numbers. Libreswan is not vulnerable to those attacks as it requires IKEv1 using either ("Encryption with RSA" (value 5) or "Revised encryption with RSA" (value 6). Both of these modes are not implemented by libreswan.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | ipsec-tools | Will not fix | ||
| Red Hat Enterprise Linux 5 | openswan | Will not fix | ||
| Red Hat Enterprise Linux 6 | libreswan | Will not fix | ||
| Red Hat Enterprise Linux 6 | openswan | Will not fix | ||
| Red Hat Enterprise Linux 7 | libreswan | Will not fix | ||
| Red Hat Enterprise Linux 8 | libreswan | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
5.9 Medium
CVSS3
Связанные уязвимости
The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline dictionary or brute force attacks. For the main mode, however, only an online attack against PSK authentication was thought to be feasible. This vulnerability could allow an attacker to recover a weak Pre-Shared Key or enable the impersonation of a victim host or network.
The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline dictionary or brute force attacks. For the main mode, however, only an online attack against PSK authentication was thought to be feasible. This vulnerability could allow an attacker to recover a weak Pre-Shared Key or enable the impersonation of a victim host or network.
The Internet Key Exchange v1 main mode is vulnerable to offline dictio ...
The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline dictionary or brute force attacks. For the main mode, however, only an online attack against PSK authentication was thought to be feasible. This vulnerability could allow an attacker to recover a weak Pre-Shared Key or enable the impersonation of a victim host or network.
EPSS
5.9 Medium
CVSS3