Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                  ESB-2005.0476 -- Cisco Security Notice:
    Cisco IPSec VPN Implementation Group Name Enumeration Vulnerability
                               27 June 2005


        AusCERT Security Bulletin Summary

Product:           Cisco VPN 3000 Concentrator
Publisher:         Cisco Systems
Impact:            Inappropriate Access
Access:            Remote/Unauthenticated

Original Bulletin: http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

Cisco Security Notice: Cisco IPSec VPN Implementation Group Name
Enumeration Vulnerability

Revision 1.0

For Public Release 2005 June 24 1300 UTC (GMT)

- - ---------------------------------------------------------------------


    Affected Products
    Software Versions and Fixes
    Obtaining Fixed Software
    Workarounds and Mitigation
    Status of This Notice: FINAL
    Revision History
    Cisco Security Procedures
    Related Information

- - ---------------------------------------------------------------------


This Cisco Security Notice is being released in response to the Cisco
VPN Concentrator Group Name Enumeration Vulnerability advisory
published on June 20, 2005 by NTA Monitor at

Cisco has made free software available to address this vulnerability.

This security notice is posted at


This vulnerability allows an attacker to discover which group names are
configured and valid on a VPN 3000 Concentrator. It only affects
customers using a PSK (pre-shared key) for group authentication in a
remote access VPN scenario. Site-to-site VPNs (either using a PSK or
certificates), customers using remote access VPNs with certificates, or
customers using the VPN 3000 Concentrator feature called 'Mutual Group
Authentication' are not affected by this vulnerability.

The vulnerability resides in the way the VPN 3000 Concentrator responds
to IKE Phase I messages in Aggressive Mode. If the group name in the
IKE message was a valid group name, the VPN Concentrator would reply to
the IKE negotiation, while an invalid group name will not elicit a

Once a valid group name has been identified, the attacker can use the
information contained in the reply packet sent by the VPN Concentrator
to mount an off-line attack and try to discover the PSK used for group
authentication. If the off-line attack is successful and the PSK is
recovered, the information could then be used to attempt a MiTM
(Man-in-the-Middle) attack against sessions being initiated by remote
VPN clients towards the VPN Concentrator.

This issue is documented as Bug ID CSCeg00323 (registered customers

Affected Products

Vulnerable Products

The following products are affected by this vulnerability:

  * VPN 3000 Concentrators (models 3005, 3015, 3020, 3030, 3060, and
    3080) running any software version earlier than v4.1.7F or v4.7.1

No other Cisco products are currently known to be affected by this

Software Versions and Fixes

When considering software upgrades, please also consult 
and any subsequent advisories to determine exposure and a complete
upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") for assistance.

Each row of the products table (below) lists the earliest possible
release that contains the fix (the "First Fixed Release") and the
anticipated date of availability. A product running a release that is
earlier than the listed release (less than the First Fixed Release) is
known to be vulnerable. The product should be upgraded at least to the
indicated release or a later release (greater than or equal to the
First Fixed Release label.)

|              |  Affected  |   First    |
|   Product    |  version   |   Fixed    |
|              |            |  Release   |
| Cisco VPN    | all        |            |
| 3000         | versions   | 4.1.7F -   |
| Concentrator | earlier    | available  |
| family       | than       | now on CCO |
|              | 4.1.7F     |            |
| Cisco VPN    |            | 4.7.1 -    |
| 3000         | 4.7.Rel    | available  |
| Concentrator |            | now on CCO |
| family       |            |            |

Obtaining Fixed Software

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com/.

Customers using Third-party Support Organizations

Customers whose Cisco products are provided or maintained through prior
or existing agreement with third-party support organizations such as
Cisco Partners, authorized resellers, or service providers should
contact that support organization for assistance with the upgrade,
which should be free of charge.

Customers without Service Contracts

Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@cisco.com

Please have your product serial number available and give the URL of
this notice as evidence of your entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the TAC.

Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.

Customers may only install and expect support for the feature sets they
have purchased. By installing, downloading, accessing or otherwise
using such software upgrades, customers agree to be bound by the terms
of Cisco's software license terms found at 
or as otherwise set forth at Cisco.com Downloads at 

Workarounds and Mitigation

The effectiveness of any workaround is dependent on specific customer
situations such as product mix, network topology, traffic behavior, and
organizational mission. Due to the variety of affected products and
releases, customers should consult with their service provider or
support organization to ensure any applied workaround is the most
appropriate for use in the intended network before it is deployed.

There is no specific workaround to prevent the discovery of valid group
names on affected software versions using a PSK as authentication
mechanism in remote access scenarios.

Customers concerned about secondary exploitation (off-line PSK
recovery, MiTM attacks) can apply the following mitigation strategies:

  * Use strong passwords as PSK for group authentication and change
    them frequently. This is the most effective way to mitigate
    dictionary attacks. The VPN Concentrator accepts passwords from 4
    to 32 characters in length, including combinations of uppercase/
    lowercase letters, numbers, and additional characters (excluding '\
    ' and '@').
  * Deploy a feature called 'Mutual Group Authentication'. Additional
    information about this feature can be found in the 'Related
    information' section of this document.


Cisco would like to thank NTA-Monitor for their cooperation on this

Status of This Notice: FINAL

This is a final notice. Although Cisco cannot guarantee the accuracy of
all statements in this notice, all of the facts have been checked to
the best of our ability. Cisco does not anticipate issuing updated
versions of this notice unless there is some material change in the
facts. Should there be a significant change in the facts, Cisco may
update this notice.

A stand-alone copy or paraphrase of the text of this security notice
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Revision History

| Revision |              | Initial      |
| 1.0      | 2005-June-24 | public       |
|          |              | release.     |

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at 
This includes instructions for press inquiries regarding Cisco 
security notices. All Cisco security advisories are available at

- - ---------------------------------------------------------------------

Related Information

  * NTA-Monitor advisory - 
  * Mutual Group Authentication - VPN Client 4.0.5 release notes - 
  * Mutual Group Authentication - VPN Client 4.6 Admin guide - http://

- - ---------------------------------------------------------------------

Version: PGP 8.1


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967