It was found that IKEv1 (and potentially IKEv2) authentication when using a pre-shared key (PSK) is vulnerable to offline dictionary attacks in Main Mode as well as in Aggressive Mode. A man-in-the-middle attacker who intercepted the handshake of two peers authenticating with a PSK, could apply a brute-force attack to recover the shared secret.
Find out more about CVE-2018-5389 from the MITRE CVE dictionary dictionary and NIST NVD.
PSK based authentication should only be used when the randomness and confidentially of the shared secret can be guaranteed. PSKs should also not be used as Group Secrets, where the security of the PSK is only as strong as the weakest participant in the group. Public Key or EAP authentication methods should be used whenever possible. If PSK must be used, it is essential to ensure the shared secret has a high degree of randomness and is not derived from a password with low entropy, as specified clearly in the IKEv2 specification in RFC 7296.
To use passwords for authentication of IKE/IPsec peers, the IKEv2 protocol supports various methods that are not based on (inherently weak) PSKs and which are not vulnerable to offline dictionary attacks:
RFC 5998: EAP-Only Authentication in IKEv2
RFC 6617: Secure Pre-Shared Key (PSK) Authentication for IKE
RFC 6631: Password Authenticated Connection Establishment with IKEv2
RFC 6628: Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2
As implementations supporting IKE assume the security of provided PSKs, and no mechanism within the protocol allows for password-stretching, we do not anticipate any software fixes becoming available.
The research paper that describes the problems of using weak PSKs also listed another security issue with respect to RSA keys that has different CVE numbers. Libreswan is not vulnerable to those attacks as it requires IKEv1 using either ("Encryption with RSA" (value 5) or "Revised encryption with RSA" (value 6). Both of these modes are not implemented by libreswan.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 5.9 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Attack Vector | Network |
Attack Complexity | High |
Privileges Required | None |
User Interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity Impact | None |
Availability Impact | None |
Platform | Package | State |
---|---|---|
Red Hat Enterprise Linux 7 | libreswan | Will not fix |
Red Hat Enterprise Linux 6 | openswan | Will not fix |
Red Hat Enterprise Linux 6 | libreswan | Will not fix |
Red Hat Enterprise Linux 5 | ipsec-tools | Will not fix |
Red Hat Enterprise Linux 5 | openswan | Will not fix |