Full Disclosure mailing list archives
Cisco Security Notice
From: <malacoda23 () hushmail com>
Date: Fri, 16 Apr 2004 10:08:48 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Notice: Cisco IPsec VPN Implementation Group Password Usage Vulnerability For Public Release 2004 April 15 1600 UTC (GMT) ---------------------------------------------------------------- - ------ Contents Summary Details Workarounds Status ---------------------------------------------------------------- - ------ Summary This Security Notice is being released due to the new information received by Cisco PSIRT regarding the Cisco IPsec VPN implementation, Group Password Usage Vulnerability. Details Proof of Concept code now exists for: * Recovering the Group Password - The Group Password used by the Cisco Internet Protocol Security (IPsec) virtual private network (VPN) client is scrambled on the hard drive, but unscrambled in memory. This password can now be recovered on both the Linux and Microsoft Windows platform implementations of the Cisco IPsec VPN client. This vulnerability is documented in the Cisco Bug Toolkit as Bug ID CSCed41329 (registered customers only) . * The Linux implementation vulnerability was reported by Karl Gaissmaier, University of Ulm, Germany. * The Microsoft Windows implementation vulnerability was reported by Jonas Eriksson and Nicholas Kathmann. * Man In The Middle (MITM) attack to emulate a VPN head end server for stealing valid user names and passwords or hijacking connections using a previously recovered Group Password - This vulnerability exists whenever Group Passwords are used as the pre-shared key during Internet Key Exchange (IKE) Phase 1 in the XAUTH protocol. The user name and password in XAUTH are transmitted over the network only encrypted by the Phase 1 IKE security association (SA) which in this case are derived from the Group Password. Anyone in possession of the Group Passwords will have the ability to either hijack a connection from a valid user, or pose as a VPN head end for stealing user names and passwords. Workarounds Cisco shall implement a proprietary implmenetation of High Order Negotiation Challenge/Response Authentication of Cryptographic Keys or the HighONCRACK protocol as it is to henceforth be known. It will work with IKE. To address some of their other VPN isecurity issues Cisco also plans to implement the Temporal Integrity Negotiation Algorithm or (TINA) a proprietary extension to Internet Key Exchange (IKE). When implemented properly, during the establishment of a security association, after getting HighONCRACK, IKE will use TINA for the negotiation of all tunneling. Status of This Notice: INTERIM -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAkCAEnEACgkQwTSVJxbcR5dPkwCgrODhr2X3nJ0T9m/3AZq/AXKf5RoA n1w3jdUTZxJMd1fJuZa37Vmug1Gu =Vboj -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Cisco Security Notice malacoda23 (Apr 16)