A new Cisco patch is available, addressing a flaw in IOS and IOS XE switch and router software. The patch has been released in regards of a disclosure of security flaw (known as CVE-2018-0131) in the Internet Key Exchange (IKE) protocol used to setup IPSec-protected VPNs.
The disclosure of this attack was made by a group of researchers – Dennis Felsch, Martin Grothe, and Jörg Schwenk from Germany’s Ruhr-University Bochum; Adam Czubak and Marcin Szymanek, University of Opole in Poland.
Technical Details about the CVE-2018-0131-Based Attack
The CVE-2018-0131 vulnerability on which the attack is based affects Cisco IOS Software and Cisco IOS XE Software that is configured with the authentication rsa-encr option, as explained by the company in an advisory. The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability. However, patches should be applied as soon as possible.
The company released the patches ahead of thе 27th USENIX Security Symposium in Baltimore, where researchers are expected to present new attacks on IPsec IKE. These attacks could compromise large VPNs, typically employed by industrial information exchanges and wireless carrier backhaul that run on Cisco kit.
This attack, discovered by the aforementioned group of researchers, is possible due to reusing a key pair across the first and second versions of the IKE key exchange protocol, IKEv1 and IKEv2. It would enable an attacker to impersonate a network or carry out a man-in-the-middle attack against two parties.
To prove this, the researchers exploited a Bleichenbacher oracle in an IKEv1 mode, where RSA encrypted nonces are used for authentication. Using this exploit, the team broke these RSA encryption based modes, and also broke RSA signature based authentication in both IKEv1 and IKEv2. In addition:
We found Bleichenbacher oracles in the IKEv1 implementations of Cisco (CVE-2018-0131), Huawei (CVE-2017-17305), Clavister (CVE-2018-8753), and ZyXEL (CVE-2018-9129). All vendors published fixes or removed the particular authentication method from their devices’ firmwares in response to our reports.
On top of this, the researchers were also able to describe an offline dictionary attack against the PSK (Pre-Shared Key) based IKE modes, thus covering all available authentication mechanisms of IKE.