The attack targets IKE’s handshake implementation used for IPsec-based VPN connections, opening the door for MiTM attacks or for bad actors to access data carried in VPN sessions.

A new Bleichenbacher oracle cryptographic attack has been set loose on the world, using a 20-year-old protocol flaw to compromise the Internet Key Exchange (IKE) protocol used to secure IP communications.

Specifically, the attack targets IKE’s handshake implementation used for IPsec-based VPN connections. Attackers might be able to use the vulnerability to retrieve IKEv1 session keys and decrypt connections, ultimately opening the door to man-in-the-middle (MitM) attacks or for bad actors to access data carried in VPN sessions.

The consequences could be far-ranging; as is commonly known, VPNs allow employees to securely access a corporate network while they are outside the office. However, they also allow companies to connect their local networks over the public internet, as is the case with the Automotive Network Exchange (ANX), which connects automakers with their suppliers; and in wireless 4G networks, wireless carriers use VPNs to secure the backhaul links between their cell towers and the core network. Dissidents and journalists also use VPNs to circumvent geo-restrictions, hostile surveillance and censorship.

The technique, uncovered by a team of academic researchers from the Ruhr-University Bochum, Germany and the University of Opole, Poland, involves reusing a key pair across different versions and modes of IKE, which can lead to cross-protocol authentication bypass. That allows an attacker to spoof the targeted IPSec endpoint, and to eventually break the encryption mechanism.

“We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA encrypted nonces are used for authentication,” explained the team, in a paper set to be presented at the Usenix Security Symposium this week. “[The attack covers] all available authentication mechanisms of IKE.”

How It Works

IPsec (Internet Protocol Security) is a protocol stack that protects network packets at the IP layer. But to establish a shared secret for an IPsec connection, the IKE protocol has to be executed. IKE consists of two phases, where Phase 1 is used to establish initial authenticated keying material between two peers. Phase 2 is used to negotiate further derived keys for many different IP-based connections between the two.

The proof-of-concept targets only Phase 1 in IKEv1 and IKEv2, where the attacker impersonates an IKE device.

“Once attackers succeed with this attack on Phase 1, they share a set of (falsely) authenticated symmetric keys with the victim device, and can successfully complete Phase 2 – this holds for both IKEv1 and IKEv2,” the paper detailed.

In IKEv1, four authentication methods are available for Phase 1: Two RSA encryption-based methods, one signature-based method, and a pre-shared key (PSK)-based method.

In IKEv2, Phase 1 omits the encryption-based authentication methods, leaving only signature- and PSK-based authentication methods.

The attacks are based on Bleichenbacher oracles – a 20-year-old protocol threat that has been used through the years to break the confidentiality of TLS when used with RSA encryption. The researchers have now found that these same oracles “can very efficiently be used to decrypt nonces,” which breaks the RSA-encrypted authentication in IKE’s Phase 1.

Also, the paper shows that they can be used to forge digital signatures, which breaks the signature-based authentication in Phase 1; and on the PSK front, offline dictionary attacks are possible, according the researchers, rounding out the protection compromises.

Patches Roll Out

Cisco and Huawei issued patches for the issue yesterday.

For Cisco, the flaw exists in its flagship Internetworking Operating System (IOS), which powers most of its routers and switches, and in its Linux-based offshoot, IOS XE – if the “authentication rsa-encr” option is enabled. Another operating system branch, IOS XR, is used for carrier-grade infrastructure and is not affected.

“The vulnerability exists because the affected software responds incorrectly to decryption failures. An attacker could exploit this vulnerability sending crafted ciphertexts to a device configured with IKEv1 that uses RSA-encrypted nonces,” Cisco explained in its security advisory.

For Huawei’s part, the issue targets IPSec IKEv1 implementations of Huawei Firewall products.

“Remote attackers can decrypt IPSec tunnel ciphertext data by leveraging a Bleichenbacher RSA padding oracle,” the Chinese giant noted in its own advisory. “Successful exploitation of this vulnerability can impact IPSec tunnel security.”

The attack is known to affect IKEv1 implementations by Cisco (CVE-2018-0131), Huawei (CVE-2017-17305), Clavister (CVE-2018-8753, already patched, affecting the Clavister cOS Core) and ZyXEL (CVE-2018-9129, also already patched, affecting all ZyWALL/USG devices).

The academic team previously privately disclosed the problem to the four vendors; however, the paper noted that all versions and variants of the IPsec’s IKE protocol can be broken, if weak PSKs and Bleichenbacher oracles in the IKEv1 PKE and RPKE variants are present – thus, more implementations in major operating systems and network devices could be affected, depending on configuration.