A team of researchers has disclosed the details of a new attack method that can be used to crack encrypted communications. The products of several vendors, including Cisco, Huawei, ZyXEL and Clavister, are impacted.
The attack will be presented later this week at the 27th USENIX Security Symposium in Baltimore, Maryland, by researchers from the University of Opole in Poland and the Ruhr-University Bochum in Germany. The research paper has already been made public.
The experts have analyzed the impact of key reuse on Internet Protocol Security (IPsec), a protocol that authenticates and encrypts the data packets sent over a network. IPsec is often used for virtual private networks (VPNs).
The cryptographic key for IPsec uses the Internet Key Exchange (IKE) protocol, which has two versions, IKEv1 and IKEv2. Each version of IKE has different modes, configurations and authentication methods.
“[Reusing] a key pair across different versions and modes of IKE can lead to cross-protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers,” the researchers explained. “We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA encrypted nonces are used for authentication. Using this exploit, we break these RSA encryption based modes, and in addition break RSA signature based authentication in both IKEv1 and IKEv2. Additionally, we describe an offline dictionary attack against the PSK (Pre-Shared Key) based IKE modes, thus covering all available authentication mechanisms of IKE.”
The attack has been found to work against Cisco (CVE-2018-0131), Huawei (CVE-2017-17305), ZyXEL (CVE-2018-9129) and Clavister (CVE-2018-8753) products.
Cisco, Huawei and ZyXEL published advisories for this vulnerability on Monday. Clavister, a provider of network security solutions, released patches for its Clavister cOS Core operating system in early May.
Cisco, which assigned the issue a severity rating of “medium,” described it as a vulnerability in the implementation of RSA-encrypted nonces in the company’s IOS and IOS XE software. An unauthenticated attacker can remotely obtain the encrypted nonces of an IKEv1 session by sending specially crafted ciphertexts to the targeted device.
ZyXEL says the vulnerability affects its ZyWALL and USG series network security appliances. The company has released firmware updates that should prevent attacks.
“ZyWALL/USG devices have a security vulnerability in the Internet Key Exchange (IKE) handshake implementation used for their IPsec-based VPN connections. Attackers might be able to use this vulnerability to retrieve IKEv1 session keys and decrypt connections by using a chosen-ciphertext attack called Bleichenbacher's attack,” the company told customers.
Huawei’s advisory reveals that the company’s firewall products are affected by the vulnerability. The company also noted that the IPsec IKEv1 implementations in its firewalls introduce two other flaws that can be used to cause a device to enter a denial-of-service (DoS) condition by sending specially crafted packets.