This Attack Has Been Around for 20 Years — And It’s Back Again With The Bleichenbacher Oracle Attack on VPNs

The Bleichenbacher attack [here] just refuses to go away. It has been known about for 20 years, and has been the core of many attacks on SSL. It also returned in 2017 in the form of ROBOT (Return Of Bleichenbacher’s Oracle Threat https://robotattack.org/), and now at the core of a new VPN vulnerability.

Introduction

We have a long legacy within cryptography, and where our tunnels are set up by the client selecting from a number of possible methods that the server provides. Unfortunately, this can leave a race to the bottom, where an intruder can force a downgrade attack, and where they pick the cryptography suites which are known to be weak. These include MD5, RC4, DES and others.

Now the IPSec protocol — which creates VPNs and is often the core foundation of corporate security — has been shown to have a vulnerability with the IKEv1 key exchange method. This vulnerability allows an intruder to listen to the secure communications. While an upgraded protocol — IKEv2 — was meant to replace IKEv1, it is still supported on many networks.

The paper has been published in USENIX (15–17 August 2018) and involves researchers from Ruhr-University Bochum and the University of Opole [paper]:

Bleichenbacher Oracle Attack

The new attack is defined as the Bleichenbacher Oracle Attack (rated with a CVSS score of 5.9 — and a medium risk). Just like the original attack (which is outlined in the next section), it operates by sending errors to the VPN server, and where the server replies with corrupted messages. These returned messages allow the intruder to discover a bit more of the information each time, and then can mimic one of the parties involved in the secure tunnel.

The vulnerability is not based on the standard, but on poor implementation from vendors. At the current time, four vendors have been shown to be weak against the attack:

• Cisco (CVE-2018–0131). Cisco are already sending out…