Vulnerable IPSec IKE implementations used in Cisco, Huawei, ZyXel and Clavister networking devices can allow attackers to retrieve session keys and decrypt connections, researchers have found.
Dennis Felsch, Martin Grothe and Jörg Schwenk from Ruhr-Universität Bochum, and Adam Czubak and Marcin Szymanek of the University of Opole are scheduled to demonstrate the new attack this week at the USENIX Security Symposium in Baltimore.
In the meantime, they published a paper about their discovery.
“[Reusing] a key pair across different versions and modes of IKE can lead to cross-protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers,” the researchers noted.
“We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA encrypted nonces are used for authentication. Using this exploit, we break these RSA encryption based modes, and in addition break RSA signature based authentication in both IKEv1 and IKEv2. Additionally, we describe an offline dictionary attack against the PSK (Pre-Shared Key) based IKE modes, thus covering all available au- thentication mechanisms of IKE.”
More details can also be found in this post by Dennis Felsch and this one by Martin Grothe, in which he mentioned that they only recently discovered that they weren’t the first ones to describe such an dictionary attack against IKEv1 Main Mode and IKEv2.
Patches are ready
All the aforementioned networking vendors have pushed out fixes for the vulnerability or removed the vulnerable authentication method from their devices’ firmwares.
As Cisco helpfully explained, “the vulnerability exists because the affected software responds incorrectly to decryption failures. An attacker could exploit this vulnerability sending crafted ciphertexts to a device configured with IKEv1 that uses RSA-encrypted nonces. A successful exploit could allow the attacker to obtain the encrypted nonces.”
Cisco found the vulnerability in its IOS software and IOS XE software. ZyXel says its ZyWALL/USG series products are affected. Huawei confirmed its firewalls are vulnerable. All provided firmware updates, and Clavister provided maintenance releases with the fix for its firewall customers earlier this year.