CVE-2018-16151
Published: 24 September 2018
In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data after the encoded algorithm OID during PKCS#1 v1.5 signature verification. Similar to the flaw in the same version of strongSwan regarding digestAlgorithm.parameters, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation when only an RSA signature is used for IKEv2 authentication.
Priority
Medium
CVSS 3 base score: 7.5
Status
| Package | Release | Status |
|---|---|---|
|
strongswan Launchpad, Ubuntu, Debian |
bionic |
Released
(5.6.2-1ubuntu2.2)
|
| precise |
Does not exist
|
|
| trusty |
Released
(5.1.2-0ubuntu2.10)
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(5.3.5-1ubuntu3.7)
|