CVE-2018-15836

Published: Sep 26, 2018Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In verify_signed_hash() in lib/liboswkeys/signatures.c in Openswan before 2.6.50.1, the RSA implementation does not verify the value of padding string during PKCS#1 v1.5 signature verification. Consequently, a remote attacker can forge signatures when small public exponents are being used. IKEv2 signature verification is affected when RAW RSA keys are used.

Affected (1)

Products: Xelerance: Openswan

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Xelerance Openswan	Before 2.6.50.1

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (6)

https://github.com/xelerance/Openswan/commit/0b460be9e287fd335c8ce58129c67bf06065ef51

Source: cve@mitre.org

PatchVendor Advisory

https://github.com/xelerance/Openswan/commit/9eaa6c2a823c1d2b58913506a15f9474bf857a3d

Source: cve@mitre.org

PatchVendor Advisory

https://lists.openswan.org/pipermail/users/2018-August/023761.html

Source: cve@mitre.org

Release NotesVendor Advisory

https://github.com/xelerance/Openswan/commit/0b460be9e287fd335c8ce58129c67bf06065ef51

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://github.com/xelerance/Openswan/commit/9eaa6c2a823c1d2b58913506a15f9474bf857a3d

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://lists.openswan.org/pipermail/users/2018-August/023761.html

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.