Published:
27 June 2005
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2005.0476 -- Cisco Security Notice: Cisco IPSec VPN Implementation Group Name Enumeration Vulnerability 27 June 2005 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco VPN 3000 Concentrator Publisher: Cisco Systems Impact: Inappropriate Access Access: Remote/Unauthenticated Original Bulletin: http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Notice: Cisco IPSec VPN Implementation Group Name Enumeration Vulnerability Revision 1.0 For Public Release 2005 June 24 1300 UTC (GMT) - - --------------------------------------------------------------------- Contents ======== Summary Details Affected Products Software Versions and Fixes Obtaining Fixed Software Workarounds and Mitigation Acknowledgment Status of This Notice: FINAL Revision History Cisco Security Procedures Related Information - - --------------------------------------------------------------------- Summary ======= This Cisco Security Notice is being released in response to the Cisco VPN Concentrator Group Name Enumeration Vulnerability advisory published on June 20, 2005 by NTA Monitor at http://www.nta-monitor.com/news/vpn-flaws/cisco/VPN-Concentrator/index.htm Cisco has made free software available to address this vulnerability. This security notice is posted at http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml Details ======= This vulnerability allows an attacker to discover which group names are configured and valid on a VPN 3000 Concentrator. It only affects customers using a PSK (pre-shared key) for group authentication in a remote access VPN scenario. Site-to-site VPNs (either using a PSK or certificates), customers using remote access VPNs with certificates, or customers using the VPN 3000 Concentrator feature called 'Mutual Group Authentication' are not affected by this vulnerability. The vulnerability resides in the way the VPN 3000 Concentrator responds to IKE Phase I messages in Aggressive Mode. If the group name in the IKE message was a valid group name, the VPN Concentrator would reply to the IKE negotiation, while an invalid group name will not elicit a response. Once a valid group name has been identified, the attacker can use the information contained in the reply packet sent by the VPN Concentrator to mount an off-line attack and try to discover the PSK used for group authentication. If the off-line attack is successful and the PSK is recovered, the information could then be used to attempt a MiTM (Man-in-the-Middle) attack against sessions being initiated by remote VPN clients towards the VPN Concentrator. This issue is documented as Bug ID CSCeg00323 (registered customers only). Affected Products ================= Vulnerable Products +------------------ The following products are affected by this vulnerability: * VPN 3000 Concentrators (models 3005, 3015, 3020, 3030, 3060, and 3080) running any software version earlier than v4.1.7F or v4.7.1 No other Cisco products are currently known to be affected by this vulnerability. Software Versions and Fixes =========================== When considering software upgrades, please also consult http://www.cisco.com/en/US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") for assistance. Each row of the products table (below) lists the earliest possible release that contains the fix (the "First Fixed Release") and the anticipated date of availability. A product running a release that is earlier than the listed release (less than the First Fixed Release) is known to be vulnerable. The product should be upgraded at least to the indicated release or a later release (greater than or equal to the First Fixed Release label.) +----------------------------------------+ | | Affected | First | | Product | version | Fixed | | | | Release | |--------------+------------+------------| | Cisco VPN | all | | | 3000 | versions | 4.1.7F - | | Concentrator | earlier | available | | family | than | now on CCO | | | 4.1.7F | | |--------------+------------+------------| | Cisco VPN | | 4.7.1 - | | 3000 | 4.7.Rel | available | | Concentrator | | now on CCO | | family | | | +----------------------------------------+ Obtaining Fixed Software ======================== Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/. Customers using Third-party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Workarounds and Mitigation ========================== The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed. There is no specific workaround to prevent the discovery of valid group names on affected software versions using a PSK as authentication mechanism in remote access scenarios. Customers concerned about secondary exploitation (off-line PSK recovery, MiTM attacks) can apply the following mitigation strategies: * Use strong passwords as PSK for group authentication and change them frequently. This is the most effective way to mitigate dictionary attacks. The VPN Concentrator accepts passwords from 4 to 32 characters in length, including combinations of uppercase/ lowercase letters, numbers, and additional characters (excluding '\ ' and '@'). * Deploy a feature called 'Mutual Group Authentication'. Additional information about this feature can be found in the 'Related information' section of this document. Acknowledgment ============== Cisco would like to thank NTA-Monitor for their cooperation on this issue. Status of This Notice: FINAL ============================ This is a final notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. A stand-alone copy or paraphrase of the text of this security notice that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2005-June-24 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. - - --------------------------------------------------------------------- Related Information =================== * NTA-Monitor advisory - http://www.nta-monitor.com/news/vpn-flaws/cisco/VPN-Concentrator/index.htm * Mutual Group Authentication - VPN Client 4.0.5 release notes - http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel405/ 405clnt.htm#wp1375735 * Mutual Group Authentication - VPN Client 4.6 Admin guide - http:// www.cisco.com/univercd/cc/td/doc/product/vpn/client/4_6/admin/ vcach1.htm#wp1158315 - - --------------------------------------------------------------------- - -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQrwGi3sxqM8ytrWQEQLSRgCgzk0s9tS6kauCIHqDoeeictjBNCoAnRYn Kg3eGk30eIHaE0oRaxq1UeEO =/5C5 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQr84pSh9+71yA2DNAQLL5wQAkKAEo8tCuT+PnbQGL1D1Si4IjqxhuwEC ZHNvGGjDEoI3qWN/ZFyocWIt3P5QRjC1gLx4GiY27TXacr2ql7vHYZJ8js36uzIn IpwtcfTwXX05nH/F42V9hbj2GBN634qZpAtCMcbJzY+yNartcYwi776tE5MJ+Hl+ yj4pBU/86ls= =37E3 -----END PGP SIGNATURE-----