漏洞概述 CVE编号: CVE-2026-50722 漏洞类型: IKEv2 拒绝服务漏洞 漏洞描述: 当Libreswan接收到格式错误的PKCS#1.5签名负载时,会触发一个断言,导致Libreswan中止并重启。如果RSA密钥较弱(如e=3),攻击者可以伪造认证负载,导致拒绝服务。 影响范围 受影响版本: 所有版本至5.3 不受影响版本: 5.3.1及更高版本 修复方案 升级: 升级到Libreswan 5.3.1或更高版本。 补丁: 对于无法升级的用户,可以使用以下补丁: - https://libreswan.org/security/CVE-2026-50722/ 利用代码 ```plaintext -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE-2026-50722: IKEv2 Denial of Service via RSA-SM1 (PKCS#1 RSA512-PKCS#1-v1.5) authentication payload This alert (and any updates) are available at the following URLs: https://libreswan.org/security/CVE-2026-50722 (See also CVE-2026-50721 which is the IKEv1 variant of this bug) The Libreswan Project was notified of an issue when it receives an invalidly formatted PKCS#1.5 signature payload that authenticates the IKE exchange. The vulnerability is similar to CVE-2018-16151. Use of RSA signatures over certificates during X.509 certificate verifications of the remote IKE peer are not affected by this vulnerability. When the RSA exponent is weak (eg e=3), Bleichenbacher-style signature forgeries are possible, resulting in an authentication bypass. Note that most cryptographic library versions and Libreswan raw RSA key generation have not allowed weak exponents for at least a decade, so valid RSA keys with weak exponents should be very rare. Additionally, the invalid RSA IKE authentication payload can trigger an assertion, resulting in libreswan aborting and restarting. Continued sending of such packets can result in a denial of service. Severity: Medium Vulnerable versions: all version up to and including 5.3 Not vulnerable: 5.3.1 or later Vulnerability details ===================== Libreswan (via the function RSA authenticate hash signature_pkcs1_5_rsa()), did not correctly verify the DER encoding of the RSA1.5 digest when the IKEv2 AUTH payload was encoded using RSA512-PKCS#1-v1.5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are being used, which could lead to impersonation. A remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. Exploitation ============ If a server or client will accept RSA based IKEv2 connections via the default authby settings, an attacker crash cause the denial of service, and while exponents are in use, cause an authentication bypass. Remote code execution is not possible. Workaround ========== IKEv2 by default allows EKD5A, RSA-SSA-PSS (IPSS), and allows RSA PKCS#1 1.5 as fallback due to Microsoft Windows not supporting RSA512-PSS. If Windows support is not needed, one can configure authby=esp or authby=rsa-sha2 (or both via authby=esp,rsa-sha2) to disallow the fallback of RSA PKCS#1 1.5. The leftauth= and rightauth= settings can be updated similarly if those are in use instead of authby. History ======= 24-03-2026 Libreswan was notified of the issue via security@libreswan.org. 16-06-2026 Advanced notice given to supported customers and distributions. 24-06-2026 Public announcement and release of Libreswan 5.3.1. Credits ======= This vulnerability was found and reported by Yeongheon Choi and Buyeong Kim and further code path vulnerabilities were found by Andrew Galey of the Libreswan Team. Upgrading ========= To address this vulnerability, please upgrade to Libreswan 5.3.1 or later. Patches ======= For those who cannot upgrade, patches for Libreswan 4.15 and 5.3 are available at: https://libreswan.org/security/CVE-2026-50722/ About Libreswan (https://libreswan.org/) ======================================== Libreswan is a free implementation of the Internet Key Exchange (IKE) protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of openswan 2.6.38. IKE is used to establish IPv6c VPN connections. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN). -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE5h5sdyXK8b0xX01hFLO7MPw+AFa0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000