PSIRT Advisory

Bleichenbacher and Dictionary Attacks on IPsec IKE

Summary

Two new attacks on IPsec IKE (Internet Key Exchange) were recently disclosed [1], involving multiple ways to perform attacks against IKE signature based and PSK (Pre-Shared Key) authentications. The end goal is to crack IPsec VPN encrypted communications.
The relevant CVEs are:
CVE-2018-5389: Practical Dictionary Attacks on IPsec IKE
CVE-2018-0131: Bleichenbacher Attacks on IPsec IKE

Impact

Information Disclosure

Affected Products

FortiOS is affected by CVE-2018-5389 when using a Pre-Shared Key as the IKE authentication method in IPsec VPN.

FortiOS is not impacted by CVE-2018-0131, since the related IPsec IKE authentication features (PKE/RPKE) are not supported.
The following products are not affected by any of the CVEs above:
FortiAP
FortiAnalyzer
FortiSwitch

Solutions

Since CVE-2018-5389 is a protocol level attack enabling dictionary-based brute force cracking, there exists mitigation to disable it altogether, or drastically lower its practical feasibility:
1. Choose digital signature authentication (RSA authentication with Certificates) instead of Pre-Shared Key in IKE authentication. This effectively prevents the attack completely.
2. If the above is not acceptable given the environment, and Pre-Shared Key has to be chosen, a minimum of 12 high-entropy random ASCII characters should be used as the key (with 20 characters being preferable). This renders the attack unpractical in the current state of computing power available for brute-force cracking.