MOST TRUSTED NEWSWIRE PRESS RELEASE DISTRIBUTION
PRTODAY / NewswireToday press release distribution service network
Written by / Agency / Source: Codenomicon Ltd
Check Ads Availability|e-mail Article

Are you the owner of this article?, Turn it PREMIUM with your LOGO instead - and make it 3rd party Ads-Free! within the next hour!

Codenomicon Helps Fix RSA Signature Verification Vulnerability in StrongSwan - Vulnerability in VPN software allows attacker to login as a legitimate user - StrongSwan.org / Codenomicon.com
Codenomicon Helps Fix RSA Signature Verification Vulnerability in StrongSwan

 

NewswireToday - /newswire/ - Oulu, Finland, 2012/06/12 - Vulnerability in VPN software allows attacker to login as a legitimate user - StrongSwan.org / Codenomicon.com.

   
 
Your Banner Ad Here instead - Showing along with ALL Articles covering IT Security / Anti-Spam Announcements

Replace these Affiliate Programs at ANYTIME! Your banner here within the next hour. Learn How!


 

The Codenomicon Robust Open Source Software (CROSS) team found and reported a critical vulnerability in strongSwan's RSA signature verification. If exploited, this vulnerability allows an attacker to authenticate as a legitimate user by presenting a forged signature and or certificate. The CROSS team reported the vulnerability to CERT-FI, who coordinated the vulnerability handling process with the strongSwan development team.

"When I first saw this vulnerability, it was almost like from the movies. We practically had a master key to log into any VPN system based on strongSwan," said Riku Hietamäki, senior security researcher from Codenomicon.

Operating systems and VPN appliances alike have integrated strongSwan, and it is one of the most popular open source VPN solutions. The found vulnerability is highly critical, exposing systems to zero-day attacks. In order to find this bug, a generation based, fully protocol-aware model-based fuzz was crucial.

"Codenomicon Defensics is simply superior in fuzzing complex security protocols such as IKE," said Ari Takanen, CTO and co-founder of Codenomicon. "It's important to fuzz-test critical software packages such as VPN daemons that are intended to enhance your security posture, instead of having them weaken it," he continued.

IKE RSA authentication is based on RSA key pairs. In the IKE protocol, a connecting IKE client sends an authentication message, which contains an authentication payload, to an IKE server. The authentication payload is a signature which is calculated using the client's private key. No one else should be able to generate the signature, because nobody else has the client's private key. In this case, the vulnerable code allowed a specifically constructed signature to be handled as a legitimate one. Therefore the private key, which is the central point of the whole Public Key Infrastructure, was not needed to gain access to the IKE server.

The vulnerable code is found in a gmp plugin, which is used for RSA signature verification in many platforms. A connection definition using RSA authentication is required to exploit the vulnerability. Such an attack does not enable injecting code. Both IKEv1 and IKEv2 are affected. As a workaround, the openssl or gcrypt plugin may be used for RSA signature verification. The latest release of strongSwan (strongswan.org) fixes the security vulnerability (CVE-2012-2388) which exists in all versions from 4.2.0 to 4.6.3. All users of strongSwan are strongly encouraged to upgrade their systems.

While this vulnerability is limited to specific versions of strongSwan, similar defects could exist in other VPN products. All strongSwan users are strongly encouraged to contact Codenomicon to determine if they are vulnerable. Likewise, those using other closed or open source VPN products are urged to contact Codenomicon for instructions on how to assess the systems they are using or developing.

For a test procedure to look for this and other unknown vulnerabilities in your VPN software, please contact Codenomicon at cross[.]codenomicon.com.

More information regarding CROSS project visit codenomicon.com/labs/cross/.

About Codenomicon Ltd
Codenomicon (codenomicon.com) finds security vulnerabilities others can't find. Companies rely on Codenomicon's solutions to discover zero-day vulnerabilities that cause Denial of Service (DoS) and data leakage if exploited by hackers -- the unknown vulnerabilities Advanced Persistent Threats (APTs) use to break into systems. Codenomicon's customers include Alcatel-Lucent, AT&T, Cisco Systems, Microsoft, Motorola, Google, Verizon, Nokia Siemens Networks, Huawei, and T-Systems.

 
 
Your Banner Ad Here instead - Showing along with ALL Articles covering IT Security / Anti-Spam Announcements

Replace these Affiliate Programs at ANYTIME! Your banner here within the next hour. Learn How!


 

Written by / Agency / Source: Codenomicon Ltd

 
 

Availability: All Regions (Including Int'l)

 

Traffic Booster: [/] Quick NewswireToday Visibility Checker

 

Distribution / Indexing: [+]  / [Company listed above is a registered member of our network. Content made possible by PRZOOM / PRTODAY indexing services]

 
 
# # #
 

 
  Your Banner Ad showing on ALL
IT Security / Anti-Spam articles,
CATCH Visitors via Your Competitors Announcements!


Codenomicon Helps Fix RSA Signature Verification Vulnerability in StrongSwan

Company website links NOT available to basic submissions
It is OK to republish and/or LINK any newswire for any legitimate media purpose as long as you name NewswireToday and LINK as the source.
 
Publisher Contact: Ari Takanen - Codenomicon.com 
+358-40-5067678 press[.]codenomicon.com
 
Newswire Today - PRZOOM / PRTODAY disclaims any content contained in this article. If you need/wish to contact the company who published the current release, you will need to contact them - NOT us. Issuers of articles are solely responsible for the accuracy of their content. Our complete disclaimer appears here.
IMPORTANT INFORMATION: Issuance, publication or distribution of this press release in certain jurisdictions could be subject to restrictions. The recipient of this press release is responsible for using this press release and the information herein in accordance with the applicable rules and regulations in the particular jurisdiction. This press release does not constitute an offer or an offering to acquire or subscribe for any Codenomicon Ltd securities in any jurisdiction including any other companies listed or named in this release.

IT Security / Anti-Spam via RSSAdd NewswireToday - PRZOOM Headline News to FeedBurner
Find who RetweetFollow @NewswireTODAY

Are you the owner of this article?, Turn it PREMIUM with your LOGO instead - and make it 3rd party Ads-Free! within the next hour!


Read Latest Articles From Codenomicon Ltd / Company Profile


Read IT Security / Anti-Spam Most Recent Related Newswires:

Kudelski Security Launches Additional Services for the Microsoft Modern Workplace
Frost & Sullivan Presents a Strategic Framework for a Blockchain-enabled World
Entrust Datacard Lauded by Frost & Sullivan for Managing Risk and Protecting People and Systems with its Broad Security Solution
Four Bitdefender Professionals Recognized as CRN’s 2020 Women of the Channel
Global Cybersecurity Leaders Provide Recommendations on Building the Future of Security Leadership
Thales to Establish Digital Competence Centre in Qatar Free-Zones to Support Security of Sports Facilities, Counter-UAV and Other Large-Scale Projects
Alert Logic Delivers Managed Detection and Response to IBM Cloud Clients
Kudelski Security Expands Business into Germany
Alert Logic, Aptum, and Bloor Research Lead Discussion on the Purpose of Managed Detection and Response
Cybereason Discovers Mobile Device Malware Targeting the Users of Popular Financial Banking Apps in EMEA and U.S.
Kudelski and CoreKinect to Enable Secure Tracking and Monitoring of Medical Assets During COVID-19 and Beyond
Trustwave Launches Powerful Cybersecurity Collaboration Platform Globally
MITRE ATT&CK Evaluation Highlights Cybereason as a Leader in EDR Once Again
Sixgill Recognized by Frost & Sullivan for its Unique Cyber Threat Intelligence Platform
Kudelski IoT and BTblock to Help Companies Deliver IoT Projects to Market Faster

Boost Your Social Network
& Crowdfunding Campaigns


LIFETIME SOCIAL MEDIA WALL
NewswireToday Celebrates 10 Years in Business


PREMIUM Members


Visit  JobsWare.com

Visit  BizJobs.com





 
  ©2020 NewswireToday — Limelon Advertising, Co.
Home | About | Advertise/Pricing | Contact | Investors | Privacy/TOS | Sitemap | FRANCAIS
newswire, PR press releases distribution service magazines engine news alert newsroom press room breaking news public relations articles company news alerts newswiredistribution ezine bizentrepreneur biznewstoday digital business report market search pr firms agencies reports distri-bution today investor relation successful internet entrepreneurs newswire distribution prtoday.com newswiredistribution asianewstoday bizwiretoday USA pr UK today - NOT affiliated with PRNewswire as we declined their partnership offer in 2013
 
PRTODAY & NewswireTODAY are NOT affiliated with USA TODAY (usatoday.com)