IKEv1 cipher suite configuration mismatch in Siemens SIMATIC CP 343-1 Advanced

The following issue has been reported to Siemens ProductCERT in relation to
Siemens Security Advisory SSA-603476, published on 2016-11-21.

The issue has been treated with lower priority and treated outside the scope
of SSA-603476 due to its lower security impact.

As the finding is now addressed [1] the following details are published. 

------------------------------------------------------------------------------

Summary: Inconsistency of IKEv1 cipher suite configuration

Tested product: Siemens SIMATIC CP 343-1 Advanced (tested with fw V3.0.44)
                [note: other SIMATIC family products may be affected]

Description:

In the establishment of IPSec tunnels, the Internet Key Exchange (IKE)
protocol allows to setup the Security Association (SA) necessary to exchange
encryption cipher information and the session shared secret, with mutual
authentication of the two parties.

The SIMATIC CP 343-1 Advanced product allows configuration of the IKEv1
cipher suite configuration, which specifies the IKE and Encapsulating
Security Payload (ESP) supported algorithms, with one cipher for each
setting.

It is evaluated that the configuration is not consistent with the supported
ciphers that are eventually applied on the IPSec responder of the SIMATIC CP
343-1 Advanced.

In fact, regardless of the selected choice for the ESP cipher, it is always
possible for the IPSec client to propose, and successfully use, DES, 3DES,
AES128 and AES256.

This invalidates the potential desire to enforce a stronger cipher, as the
client can always decide to use weaker ones.

It should be noted that the NULL ESP cipher is also accepted when
establishing the SA, however its usage leads to no response packets from the
tunnel. It is speculated that the NULL cipher is forcibly disabled with a
different code flow than normal unsupported cipher handling.

Similarly the IKE cipher suite only supports 3DES (with SHA1 HMAC),
regardless of its configuration on the SIMATIC CP 343-1 Advanced.

Despite the possibility of IPSec tunnel establishment with cipher suites not
compliant with the SIMATIC CP 343-1 Advanced intended configuration, the
selection of weaker ciphers can only be driven by a mutually authenticated
client, limiting the impact of the issue.

It is nonetheless recommended to ensure a strong and correct IPSec client
configuration, when leveraging the SIMATIC CP 343-1 Advanced VPN features.

CVE: N/A

Mitigation: Siemens ProductCERT reported on 2016-01-02 that the issue has been
            addressed with release of SCT V4.3 HF [1]

Credit: Inverse Path auditors in collaboration with AIRBUS ICT Industrial
        Security team

[1] https://support.industry.siemens.com/cs/ww/en/view/109744041

------------------------------------------------------------------------------

-- 
Andrea Barisani                             Inverse Path Srl
Chief Security Engineer                     -----> <--------

<andrea@inversepath.com>          http://www.inversepath.com
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
       "Pluralitas non est ponenda sine necessitate"