We love free and open web!

Certificate bug in open source IPsec VPN

03 May
0
VPN News 0 views

strongSwan VPN logo
The strongSwan open source IPsec VPN software potentially accepts invalid digital signatures and certificates for IPsec connections. The developers report that the issue affects versions 4.3.5 up to 5.0.3 – but only if the OpenSSL crypto backend is enabled using --enable-openssl; the default crypto libraries are not vulnerable.

The problem occurs when verifying signatures that are based on the Elliptic Curve Digital Signature Algorithm (ECDSA); if such signatures are verified using the OpenSSL plugin, strongSwan will handle empty, zeroed or otherwise invalid signatures as legitimate ones. The developers say that both IKEv1 and IKEv2 are affected.

If a connection definition with ECDSA authentication exists on the IPsec gateway, attackers can potentially use a forged digital signature or bogus certificate to gain unauthorised access. strongSwan 5.0.4 fixes the bug.

comments powered by Disqus

RECENT POSTS

Blog categories

Submit your own article

If you have anything to share in our blog just send it to contact [at] vpntutorials.com.