CVE-2018-16151 in strongSwan
Summary
by MITRE
In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data after the encoded algorithm OID during PKCS#1 v1.5 signature verification. Similar to the flaw in the same version of strongSwan regarding digestAlgorithm.parameters, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation when only an RSA signature is used for IKEv2 authentication.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/03/2025
The vulnerability described in CVE-2018-16151 affects strongSwan versions 4.x and 5.x before 5.7.0, specifically within the gmp plugin's RSA implementation. This flaw exists in the verify_emsa_pkcs1_signature() function located in gmp_rsa_public_key.c, where the cryptographic library fails to properly validate the structure of PKCS#1 v1.5 signatures during verification. The issue stems from insufficient input validation that allows excess data to remain after the encoded algorithm OID within the signature structure, creating a potential security bypass mechanism.
This vulnerability represents a classic implementation flaw in cryptographic signature verification that aligns with CWE-20 "Improper Input Validation" and falls under the broader category of cryptographic weaknesses in signature verification processes. The flaw specifically impacts the PKCS#1 v1.5 padding scheme used in RSA signatures, where the implementation does not strictly enforce the expected structure of the signature data. When small public exponents are employed, this weakness becomes exploitable, as the mathematical properties of such exponents create opportunities for attackers to manipulate the signature verification process.
The operational impact of this vulnerability is significant for systems relying on IKEv2 authentication with RSA signatures, as it enables remote attackers to forge valid signatures without possessing the corresponding private key. This creates a substantial risk of impersonation attacks where an attacker can successfully authenticate to systems that trust the forged signatures. The vulnerability is particularly dangerous in environments where only RSA signatures are used for IKEv2 authentication without additional authentication mechanisms, as it completely undermines the cryptographic integrity of the authentication process.
From an attack perspective, this vulnerability maps to several ATT&CK techniques including T1552.004 "Password Hashes" and T1078.004 "Valid Accounts" since successful signature forgery could enable unauthorized access to VPN services. The attack requires a remote attacker who can intercept or manipulate signature verification processes, making it particularly concerning for network security infrastructure. The exploitation is facilitated by the use of small public exponents, which are common in certain implementations and create mathematical vulnerabilities that can be leveraged to construct valid signatures.
The recommended mitigation strategy involves upgrading to strongSwan version 5.7.0 or later, which includes the necessary patches to properly validate signature structures and reject excess data during PKCS#1 v1.5 verification. Organizations should also consider implementing additional security controls such as certificate pinning, monitoring for unusual authentication patterns, and ensuring that authentication mechanisms include multiple factors beyond simple RSA signature verification. Network segmentation and access controls should be reviewed to limit the potential impact of successful exploitation, while security teams should monitor for any signs of attempted exploitation of this vulnerability in their environments.