General

Symptom

Cisco IOS IKEv1 vulnerable to Bleichenbacher style attacks against RSA encrypted nonces A vulnerability in the implementation of RSA-encrypted nonces in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to obtain the encrypted nonces of an Internet Key Exchange Version 1 (IKEv1) session. The vulnerability exists because the affected software responds incorrectly to decryption failures. An attacker could exploit this vulnerability by sending crafted ciphertexts to a device configured with IKEv1 that uses RSA-encrypted nonces. A successful exploit could allow the attacker to obtain the encrypted nonces. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180815-nonce

Conditions

Device configured with IKEv1 and using authentication rsa-encr in the isakmp policy. Whilst it is possible to obtain the encrypted nonces, it is not possible (currently) to hijack a session. The protocol also performs a DH (or ECDH) operation during initial negotiation; hence the attacker has two options: - They can act as an evesdropper during the initial negotiation; that means that they have plenty of time to deduce the nonces used; however as they don't know the DH shared secret, they can't decrypt anything. - They can act as a MITM during the initial negotiation, substituting their own values for the DH exchange. This means that, if they succeed, they'll have everything they need to evesdrop/inject packets; however that also means that they must be able to decrypt the encrypted nonces before the DH exchange times out (which is 2 minutes).

Workaround

None.

Further Problem Description

PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 5.9: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.0&vector=CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X CVE ID CVE-2018-0131 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html