Bug 1109845 – VUL-0: CVE-2018-17540: strongswan: Insufficient input validation in gmp plugin

Bug 1109845 - (CVE-2018-17540) VUL-0: CVE-2018-17540: strongswan: Insufficient input validation in gmp plugin

(CVE-2018-17540)
Summary:	VUL-0: CVE-2018-17540: strongswan: Insufficient input validation in gmp plugin

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Manuel Buil
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/215711/
Whiteboard:	CVSSv3:SUSE:CVE-2018-17540:7.0:(AV:N/...
Keywords:

Depends on:
Blocks:	CVE-2018-16151
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-09-26 13:06 UTC by Karol Babioch
Modified:	2022-03-04 12:29 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karol Babioch 2018-09-26 13:06:48 UTC

Dear strongSwan partner,

Google's OSS-Fuzz revealed a bug in the gmp plugin that may lead to a
denial-of-service attack.  It's caused by the patch that fixes
CVE-2018-16151/2, so any strongSwan version with that patch applied is
affected, including the latest 5.7.0.


# Insufficient input validation in gmp plugin

The verification of a signature with a very short RSA public key causes
an integer underflow in a length check that then results in a heap
buffer overflow, which most likely crashes the IKE daemon.

CVE-2018-17540 has been assigned for this vulnerability.

As mentioned, the vulnerability was introduced with the patch that fixes
CVE-2018-16151/2 (Bleichenbacher-style low-exponent signature forgery
due to lenient parsing of RSA signatures).  Instead of parsing PKCS#1
v1.5 RSA signatures to verify them, the plugin now calls code that was
previously used only with private keys to generate signatures.  The
shared function produces the encoding of the plaintext signature

	0x00 || 0x01 || PS || 0x00 || T

which is then simply compared to the decrypted signature value.  Because
the padding PS has to be at least 8 bytes and there are 3 marker bytes,
the function contained the following check:

	if (data.len > keylen - 11)
	{
		return FALSE;
	}

Where data.len is the length of the signature value T (the ASN.1 encoded
digestInfo containing the hash) and keylen is the length of the key's
modulus in bytes.  Because keylen is unsigned (size_t) this results in
an integer underflow if keylen is < 11.  This in turn causes a heap
buffer overflow when the encoding is written to a buffer of only keylen
bytes.

This snippet wasn't a problem so far because the code was only called
for private keys.  Besides that these are only loaded locally and with
appropriate privileges, the gmp plugin also enforced a minimum length
for the modulus of private keys (currently 64 bytes).  However, that's
not the case for public keys.

So when the signature verification, that operates on public keys,
started using that code, the key length could suddenly take values that
would trigger the integer underflow (the initial trigger on OSS-Fuzz was
a key with a 4-bit modulus).

This in itself would still not yet be a serious issue in practice,
because signature verification is generally only done with trusted
public keys.  So an attacker would have to get a certificate with a
specifically crafted public key issued from a trusted CA, or get a
certificate with such a key installed directly on the attacked host.

Unfortunately, the x509 plugin, after parsing a certificate, uses the
contained public key to check if the certificate is self-signed.  This
means that an attacker can just send a crafted certificate to the IKE
daemon to exploit the vulnerability.

The openssl plugin behaves the same way when parsing certificates, but
depending on the plugin order the gmp plugin, even if loaded, won't be
used for the signature verification.  And the openssl plugin might even
reject such certificates while parsing, at least that was the case for
the OSS-Fuzz triggers.  So unless the x509 plugin is loaded too, such
installations might be less vulnerable (when using the openssl plugin,
the gmp plugin is redundant anyway).

Since this is a heap buffer overflow the possibility of remote code
execution can't be ruled out completely.  However, due to the form of
the data that's written to the buffer it seems difficult to actually
exploit it in such a way.


# Mitigation

Since only the gmp plugin is affected, installations that don't have
this plugin enabled and loaded are not vulnerable.

Also not vulnerable are installations that have not been patched with
the fix for CVE-2018-16151/2.

The attached patch fixes the vulnerability in all strongSwan versions
given the appropriate patches listed at [1] are already applied, and
should apply with appropriate hunk offsets.

Please prepare updated releases and patch your installations, but do not
yet publicly disclose any information about this vulnerability.  We want
to give you as a partner enough time to prepare new releases and will
publicly disclose the vulnerability with the strongSwan 5.7.1 release on
Mon Oct 1, 14:00 CEST.

As mentioned in the introduction, credit to OSS-Fuzz for finding this
vulnerability.

It's interesting to note that neither of the two static code analyzers
we use (Coverity, SonarQube) found this vulnerability.

Our apologies for the inconvenience.

Kind Regards
Tobias Brunner
strongSwan Developer

[1] https://download.strongswan.org/patches/27_gmp_pkcs1_verify_patch/

Comment 1 Karol Babioch 2018-09-26 13:08:21 UTC

Created attachment 784324 [details]
strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch

Comment 2 Karol Babioch 2018-09-26 13:08:47 UTC

CRD: 2018-10-01 14:00 CEST

Comment 3 Madhu Mohan Nelemane 2019-11-13 13:55:49 UTC

Maintenance requests generated for

SLE-12_Update: https://build.suse.de/request/show/205029 

SLE-15_Update: https://build.suse.de/request/show/205031

Comment 10 Swamp Workflow Management 2019-11-25 20:21:44 UTC

SUSE-SU-2019:3056-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1093536,1094462,1107874,1109845
CVE References: CVE-2018-10811,CVE-2018-16151,CVE-2018-16152,CVE-2018-17540,CVE-2018-5388
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    strongswan-5.6.0-4.3.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    strongswan-5.6.0-4.3.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    strongswan-5.6.0-4.3.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    strongswan-5.6.0-4.3.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    strongswan-5.6.0-4.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2019-11-30 23:12:44 UTC

openSUSE-SU-2019:2594-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1093536,1094462,1107874,1109845
CVE References: CVE-2018-10811,CVE-2018-16151,CVE-2018-16152,CVE-2018-17540,CVE-2018-5388
Sources used:
openSUSE Leap 15.0 (src):    strongswan-5.6.0-lp150.3.3.1

Comment 12 Swamp Workflow Management 2019-12-01 05:12:14 UTC

openSUSE-SU-2019:2598-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1093536,1094462,1107874,1109845
CVE References: CVE-2018-10811,CVE-2018-16151,CVE-2018-16152,CVE-2018-17540,CVE-2018-5388
Sources used:
openSUSE Leap 15.1 (src):    strongswan-5.6.0-lp151.4.3.1

Comment 13 Swamp Workflow Management 2019-12-11 14:19:27 UTC

SUSE-SU-2019:3266-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1009254,1071853,1093536,1094462,1107874,1109845
CVE References: CVE-2018-10811,CVE-2018-16151,CVE-2018-16152,CVE-2018-17540,CVE-2018-5388
Sources used:
SUSE OpenStack Cloud 8 (src):    strongswan-5.1.3-26.13.1
SUSE OpenStack Cloud 7 (src):    strongswan-5.1.3-26.13.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    strongswan-5.1.3-26.13.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    strongswan-5.1.3-26.13.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    strongswan-5.1.3-26.13.1
SUSE Linux Enterprise Server 12-SP5 (src):    strongswan-5.1.3-26.13.1
SUSE Linux Enterprise Server 12-SP4 (src):    strongswan-5.1.3-26.13.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    strongswan-5.1.3-26.13.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    strongswan-5.1.3-26.13.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    strongswan-5.1.3-26.13.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    strongswan-5.1.3-26.13.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    strongswan-5.1.3-26.13.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    strongswan-5.1.3-26.13.1
SUSE Enterprise Storage 5 (src):    strongswan-5.1.3-26.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Bjørn Lie 2020-01-23 18:05:59 UTC

Please ack and forward

https://build.opensuse.org/request/show/761676

That way we can have this CVE fixed in Tumbleweed too.....

Comment 15 Marcus Meissner 2020-01-24 09:55:54 UTC

The spec file has some todo markers (needs rebase) in it ... not sure if I can forward it as such

Comment 16 Bjørn Lie 2020-01-25 19:30:19 UTC

(In reply to Marcus Meissner from comment #15)
> The spec file has some todo markers (needs rebase) in it ... not sure if I
> can forward it as such

No problem Marcus - I used this "channel" to try to wake up the maintainer, since he has not responded to sr nor direct email.

What really annoys me is that he has fixed the CVS's for SLE, and hence also for Leap, but ignored TW.

Comment 17 Swamp Workflow Management 2020-01-26 10:00:14 UTC

This is an autogenerated message for OBS integration:
This bug (1109845) was mentioned in
https://build.opensuse.org/request/show/767305 Factory / strongswan

Comment 18 Gianluca Gabrielli 2021-10-14 08:41:08 UTC

Hi Manuel, there still is a missing submission for SUSE:SLE-11-SP1:Update/strongswan. Can you please submit it?

Comment 19 Manuel Buil 2021-10-14 11:01:06 UTC

(In reply to Gianluca Gabrielli from comment #18)
> Hi Manuel, there still is a missing submission for
> SUSE:SLE-11-SP1:Update/strongswan. Can you please submit it?

Hey Gianluca, currently I have no time for this. If I remember correctly, this will require quite some effort because the code where the patch is applied changed a lot in the SLE-11-SP1 version of strongswan. I know a new maintainer is being searched as we speak, so maybe he or she can take this task

Comment 21 Swamp Workflow Management 2022-02-18 14:37:33 UTC

SUSE-SU-2022:14887-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1107874,1109845,1194471
CVE References: CVE-2018-16151,CVE-2018-16152,CVE-2018-17540,CVE-2021-45079
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    strongswan-4.4.0-6.36.12.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    strongswan-4.4.0-6.36.12.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    strongswan-4.4.0-6.36.12.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    strongswan-4.4.0-6.36.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 22 Marcus Meissner 2022-03-04 12:29:08 UTC

released