Cisco, one of the world's largest vendor of networking equipment, released security updates today to patch a vulnerability in the IOS and IOS XE operating systems that run the vast majority of its devices.
The vulnerability is tracked as CVE-2018-0131 and is one of four CVE identifiers for a new Bleichenbacher oracle cryptographic attack against the IKE (Internet Key Exchange) protocol.
This new attack is described is a recently published research paper entitled "The Dangers of Key Reuse: Practical Attacks on IPsec IKE," set to be presented at the 27th Usenix Security Symposium later this week in Baltimore, USA. From the paper's abstract:
Researchers say their attack works against the IKEv1 implementations of Cisco (CVE-2018-0131), Huawei (CVE-2017-17305), Clavister (CVE-2018-8753), and ZyXEL (CVE-2018-9129).
The research team, made up of three academics from the Ruhr-University Bochum, Germany and two from the University of Opole, Poland, say they notified vendors that had products vulnerable to this attack.
"All vendors published fixes or removed the particular authentication method from their devices’ firmwares in response to our reports," researchers said.
Cisco was by far the biggest vendor affected by this flaw, and the hardest hit. CVE-2018-0131 affects the company's main product, the IOS (Internetworking Operating System), and its Linux-based offshoot, IOS XE.
The IOS XR operating system, which runs on a different codebase and is used mainly for carrier-grade routers, is not affected.
Cisco released patches today for both OSes. The company says that any IOS and IOS XE device that's configured with the "authentication rsa-encr" option is vulnerable.
According to Cisco, this flaw "could allow an unauthenticated, remote attacker to obtain the encrypted nonces of an Internet Key Exchange Version 1 (IKEv1) session."
"The vulnerability exists because the affected software responds incorrectly to decryption failures. An attacker could exploit this vulnerability sending crafted ciphertexts to a device configured with IKEv1 that uses RSA-encrypted nonces," Cisco said in a security advisory.
"With our attack you can do an active online attack. But it is impossible to recover data from an already established IPsec session with our approach," Martin Grothe, one of the researchers behind this new attack has told Bleeping Computer via email.
"IKE runs before IPsec, thus you can only attack the first Phase of IKE and if you succeed you are able to impersonate another IPsec endpoint or be an active man-in-the middle and read/write data to that session," he added.
Article updated with comment from researchers.