StrongSwan Fixes Certificate Bug

Monday, May 6, 2013 @ 10:05 PM gHale


StrongSwan open source IPsec VPN software potentially accepts invalid digital signatures and certificates for IPsec connections.

The developers said the issue affects versions 4.3.5 up to 5.0.3 – but only if the OpenSSL crypto backend ends up enabled using –enable-openssl; the default crypto libraries are not vulnerable.

RELATED STORIES
Trojan Steals Legit Digital Certificates
Android Malware Hits Windows PCs
Trojan a Work of ‘Poetry’
Ransomware Encrypts Data

The problem occurs when verifying signatures end up based on the Elliptic Curve Digital Signature Algorithm (ECDSA); if such signatures use the OpenSSL plugin, strongSwan will handle empty, zeroed or otherwise invalid signatures as legitimate ones.

Developers said IKEv1 and IKEv2 suffer from the issue.

If a connection definition with ECDSA authentication exists on the IPsec gateway, attackers can potentially use a forged digital signature or bogus certificate to gain unauthorized access. There is some good news here strongSwan 5.0.4 fixes the bug.



Leave a Reply

You must be logged in to post a comment.