​Cisco patches router OS against new crypto attack on business VPNs

New attack threatens enterprise VPN and could enable target networks to be impersonated or allow a man-in-the-middle attack.
Written by Liam Tung, Contributing Writer

Cisco has released a patch for its widely-used IOS and IOS XE switch and router software as researchers plan to reveal a flaw in the Internet Key Exchange (IKE) protocol used to setup IPSec-protected VPNs.

The networking and security giant released the patches ahead of this week's 27th USENIX Security Symposium in Baltimore, where researchers will present new attacks on IPsec IKE that could threaten large VPNs used, for example, by industrial information exchanges and wireless carrier backhaul running on Cisco kit.

The attacks were found by: Dennis Felsch, Martin Grothe, and Jörg Schwenk from Germany's Ruhr-University Bochum; Adam Czubak and Marcin Szymanek, University of Opole in Poland.

The attack is possible due to reusing a key pair across the first and second versions of the IKE key exchange protocol, IKEv1 and IKEv2, and would allow an attacker to impersonate a network or carry out a man-in-the-middle attack against two parties.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

"[W]e show that reusing a key pair across different versions and modes of IKE can lead to cross- protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers," the group explain in a paper.

"We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA encrypted nonces are used for authentication. Using this exploit, we break these RSA encryption based modes, and in addition break RSA signature based authentication in both IKEv1 and IKEv2.

"Additionally, we describe an offline dictionary attack against the PSK (Pre-Shared Key) based IKE modes, thus covering all available authentication mechanisms of IKE."

As they note, even though IKEv2 superseded IKEv1, both can be implemented in all major operating systems and network devices, like switches and firewalls. They also found the same IKE flaws in equipment from rival network gear makers, Huawei, Clavister and ZyXEL. This included Huawei's Secospace USG2000 series firewall.

Along with Cisco's patch for CVE-2018-0131 affecting IOS and its Linux-based IOS XE software, new firmware that addresses the attack have been released by Huawei, Clavister, and ZyXEL, according to the researchers.

Cisco has rated the bug as a medium severity issue in its advisory where it notes that its QNX-based IOS XR is not affected. The issue only affects IOS, the most widely deployed software for Cisco switches and routers, and IOS XE software configured with the "authentication rsa-encr" option.

"A vulnerability in the implementation of RSA-encrypted nonces in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to obtain the encrypted nonces of an Internet Key Exchange Version 1 (IKEv1) session," explained Cisco.

"The vulnerability exists because the affected software responds incorrectly to decryption failures. An attacker could exploit this vulnerability sending crafted ciphertexts to a device configured with IKEv1 that uses RSA-encrypted nonces. A successful exploit could allow the attacker to obtain the encrypted nonces." Cisco said it was not aware of any malicious use of the vulnerability.


Editorial standards