The IPsec UDP protocol implementation in SilverPeak EdgeConnect product fails to provide the claimed perfect forward secrecy property. Additionally, the product provides interfaces and has vulnerabilities that can be used to reconstruct the traffic encryption keys for all tunnels.
This design and implementation allow to perform the following scenarios:
1. Crypto backdoor or kleptographic mechanism. A legal user with admin privileges can get all seed and nonces using the API and then derive the keys. He can do it for each epoch. As a result, he will be able to decrypt traffic sent in all epochs.
2. An attacker can implement the same scenario exploiting any vulnerability in Web UI that can leak seed and nonces.
The fundamental difference between the original IPsec PFS and IPsec UDP is that the original IPsec destroys the ephemeral keys immediately. It doesn't store them and doesn't provide an interface to access them.
We were able to reproduce the issue on the following versions of EdgeConnect software: 1. 8.1.9 2. 8.1.7 3. 8.1.4
Details
Enjoy
This design and implementation allow to perform the following scenarios:
1. Crypto backdoor or kleptographic mechanism. A legal user with admin privileges can get all seed and nonces using the API and then derive the keys. He can do it for each epoch. As a result, he will be able to decrypt traffic sent in all epochs.
2. An attacker can implement the same scenario exploiting any vulnerability in Web UI that can leak seed and nonces.
The fundamental difference between the original IPsec PFS and IPsec UDP is that the original IPsec destroys the ephemeral keys immediately. It doesn't store them and doesn't provide an interface to access them.
We were able to reproduce the issue on the following versions of EdgeConnect software: 1. 8.1.9 2. 8.1.7 3. 8.1.4
Details
Enjoy
No comments:
Post a Comment