CVE-2018-5389 - OpenCVE

The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline dictionary or brute force attacks. For the main mode, however, only an online attack against PSK authentication was thought to be feasible. This vulnerability could allow an attacker to recover a weak Pre-Shared Key or enable the impersonation of a victim host or network.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ietf	Internet Key Exchange

Configuration 1 [-]

cpe:2.3:a:ietf:internet_key_exchange:1.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://blogs.cisco.com/security/great-cipher-but-where-did-you-get-that-key
https://my.f5.com/manage/s/article/K42378447
https://nvd.nist.gov/vuln/detail/CVE-2018-5389
https://web-in-security.blogspot.com/2018/08/practical-dictionary-attack-on-ipsec-ike.html
https://www.cve.org/CVERecord?id=CVE-2018-5389
https://www.kb.cert.org/vuls/id/857035
https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-felsch.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2018-09-06T21:00:00

Updated: 2024-08-05T05:33:44.296Z

Reserved: 2018-01-12T00:00:00

Link: CVE-2018-5389

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-09-06T21:29:00.220

Modified: 2024-06-24T20:15:09.857

Link: CVE-2018-5389

Redhat

Severity : Moderate

Publid Date: 2018-08-14T00:00:00Z

Links: CVE-2018-5389 - Bugzilla

{"containers": {"cna": {"title": "CVE-2018-5389", "descriptions": [{"lang": "en", "value": "The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline dictionary or brute force attacks. For the main mode, however, only an online attack against PSK authentication was thought to be feasible. This vulnerability could allow an attacker to recover a weak Pre-Shared Key or enable the impersonation of a victim host or network."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "strongSwan", "product": "Strongswan", "versions": [{"status": "affected", "version": "5.5.1"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-521 Weak Password Requirements"}]}, {"descriptions": [{"lang": "en", "description": "CWE-323 Reusing a Nonce, Key Pair in Encryption"}]}], "references": [{"url": "https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-felsch.pdf"}, {"url": "https://www.kb.cert.org/vuls/id/857035"}, {"url": "https://web-in-security.blogspot.com/2018/08/practical-dictionary-attack-on-ipsec-ike.html"}, {"url": "https://blogs.cisco.com/security/great-cipher-but-where-did-you-get-that-key"}, {"url": "https://my.f5.com/manage/s/article/K42378447"}], "x_generator": {"engine": "VINCE 3.0.4", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2018-5389"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2024-06-24T19:08:15.699Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T05:33:44.296Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-felsch.pdf", "tags": ["x_transferred"]}, {"url": "https://www.kb.cert.org/vuls/id/857035", "tags": ["x_transferred"]}, {"url": "https://web-in-security.blogspot.com/2018/08/practical-dictionary-attack-on-ipsec-ike.html", "tags": ["x_transferred"]}, {"url": "https://blogs.cisco.com/security/great-cipher-but-where-did-you-get-that-key", "tags": ["x_transferred"]}, {"url": "https://my.f5.com/manage/s/article/K42378447", "tags": ["x_transferred"]}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2018-5389", "datePublished": "2018-09-06T21:00:00", "dateReserved": "2018-01-12T00:00:00", "dateUpdated": "2024-08-05T05:33:44.296Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ietf:internet_key_exchange:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "D0BC9725-5040-49A7-B08D-C75C53779769", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline dictionary or brute force attacks. For the main mode, however, only an online attack against PSK authentication was thought to be feasible. This vulnerability could allow an attacker to recover a weak Pre-Shared Key or enable the impersonation of a victim host or network."}, {"lang": "es", "value": "El modo principal de Internet Key Exchange v1 es vulnerable a ataques de diccionario offline o de fuerza bruta. La reutilizaci\u00f3n de un par de claves en diferentes versiones y modos de IKE podr\u00eda conducir a omisiones de autenticaci\u00f3n en protocolos cruzados. Se sabe que el modo agresivo de IKEv1 PSK es vulnerable a ataques de diccionario offline o de fuerza bruta. Sin embargo, para el modo principal, se pensaba que solo ser\u00eda posible un ataque online contra la autenticaci\u00f3n PSK. Esta vulnerabilidad podr\u00eda permitir que un atacante recupere una PSK (Pre-Shared Key) d\u00e9bil o que suplante a un host o red v\u00edctimas."}], "id": "CVE-2018-5389", "lastModified": "2024-06-24T20:15:09.857", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-09-06T21:29:00.220", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://blogs.cisco.com/security/great-cipher-but-where-did-you-get-that-key"}, {"source": "cret@cert.org", "url": "https://my.f5.com/manage/s/article/K42378447"}, {"source": "cret@cert.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://web-in-security.blogspot.com/2018/08/practical-dictionary-attack-on-ipsec-ike.html"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/857035"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-felsch.pdf"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-521"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank CERT for reporting this issue.", "bugzilla": {"description": "IKEv1: IKEv1 protocol vulnerability in the authentication mode with pre-shared keys in the main mode of operation", "id": "1603064", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1603064"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-325", "details": ["The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline dictionary or brute force attacks. For the main mode, however, only an online attack against PSK authentication was thought to be feasible. This vulnerability could allow an attacker to recover a weak Pre-Shared Key or enable the impersonation of a victim host or network.", "It was found that IKEv1 (and potentially IKEv2) authentication when using a pre-shared key (PSK) is vulnerable to offline dictionary attacks in Main Mode as well as in Aggressive Mode. A man-in-the-middle attacker who intercepted the handshake of two peers authenticating with a PSK, could apply a brute-force attack to recover the shared secret."], "name": "CVE-2018-5389", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "ipsec-tools", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "openswan", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "libreswan", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "openswan", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "libreswan", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "libreswan", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2018-08-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-5389\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-5389\nhttps://www.kb.cert.org/vuls/id/857035"], "statement": "PSK based authentication should only be used when the randomness and confidentially of the shared secret can be guaranteed. PSKs should also not be used as Group Secrets, where the security of the PSK is only as strong as the weakest participant in the group. Public Key or EAP authentication methods should be used whenever possible. If PSK must be used, it is essential to ensure the shared secret has a high degree of randomness and is not derived from a password with low entropy, as specified clearly in the IKEv2 specification in RFC 7296.\nTo use passwords for authentication of IKE/IPsec peers, the IKEv2 protocol supports various methods that are not based on (inherently weak) PSKs and which are not vulnerable to offline dictionary attacks:\nRFC 5998: EAP-Only Authentication in IKEv2\nRFC 6617: Secure Pre-Shared Key (PSK) Authentication for IKE\nRFC 6631: Password Authenticated Connection Establishment with IKEv2\nRFC 6628: Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2\nAs implementations supporting IKE assume the security of provided PSKs, and no mechanism within the protocol allows for password-stretching, we do not anticipate any software fixes becoming available.\nThe research paper that describes the problems of using weak PSKs also listed another security issue with respect to RSA keys that has different CVE numbers. Libreswan is not vulnerable to those attacks as it requires IKEv1 using either (\"Encryption with RSA\" (value 5) or \"Revised encryption with RSA\" (value 6). Both of these modes are not implemented by libreswan.", "threat_severity": "Moderate"}