[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NGS00014 Technical Advisory: Cisco IPSec VPN Implementation Group Name Enumeration

To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: NGS00014 Technical Advisory: Cisco IPSec VPN Implementation Group Name Enumeration
From: "Research@NGSSecure" <research@xxxxxxxxxxxxx>
Date: Tue, 22 Mar 2011 09:14:41 +0000

=======
Summary
=======
Name: Cisco IPSec VPN Implementation Group Name Enumeration
Release Date: 22 March 2011
Reference: NGS00014
Discoverer: Gavin Jones
Vendor: Cisco
Vendor Reference: CSCei51783, CSCtj96108
Systems Affected: ASA 5500 Series Adaptive Security Appliances -Cisco PIX 500 
Series Security Appliances -Cisco VPN 3000 Series Concentrators (models 3005, 
3015, 3020, 3030, 3060, and 3080)
Risk: Low
Status: Published

========
TimeLine
========
Discovered: 20 March 2009
Released:  8 November 2010
Approved:  8 November 2010
Reported:  8 November 2010
Fixed:  1 December 2010
Published: 22 March 2011

===========
Description
===========
Due to the device(s) returning differing responses to IKE requests it is 
possible to enumerate valid group names from the VPN device(s).  With the 
correct group name the pre-shared key can then be captured and a brute-force 
attack carried out off-line.

=================
Technical Details
=================
This output shows an aggressive query against the device specifying an invalid 
group:

Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)

10.1.0.1   Aggressive Mode Handshake returned
     HDR=(CKY-R=d508a1efacad8015)
     SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
     KeyExchange(128 bytes)
     Nonce(20 bytes)
     ID(Type=ID_FQDN, Value=Pix.domain.com)
     Hash(20 bytes)
     VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
     VID=09002689dfd6b712 (XAUTH)
     VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
     VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)

Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.62 hosts/sec).  1
returned handshake; 0 returned notify

The above request is then repeated with a valid group name and as can be seen 
the response is different:

Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)
10.1.0.1   Aggressive Mode Handshake returned
     HDR=(CKY-R=4fa4cf45d5039335)
     SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
     KeyExchange(128 bytes)
     Nonce(20 bytes)
     ID(Type=ID_FQDN, Value=Pix.domain.com)
     Hash(20 bytes)
     VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
     VID=09002689dfd6b712 (XAUTH)
     VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
     VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
     VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)

Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.19 hosts/sec).  1
returned handshake; 0 returned notify

As can be seen above, the request with the valid group name has an additional 
field contained in the response:

VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

By checking the responses for this additional VID it is possible to enumerate 
the valid group name.

This has been replicated in testing against a number of PIX based devices and 
with the valid group name the PSK can then be collected and cracked using 
psk-crack.

===============
Fix Information
===============
Cisco has released a patch that addresses the issue. The announcement of this 
patch can be found here:

http://www.cisco.com/en/US/products/products_security_response09186a0080b5992c.html

Patches can be downloaded from Cisco's online support portal at:

http://www.cisco.com


NGS Secure Research
http://www.ngssecure.com
________________________________

Research@NGSSecure

NGS Secure

,

Telephone:
Mobile:
Fax:
Website: www.ngssecure.com<http://www.ngssecure.com>
Email:  research@xxxxxxxxxxxxx<mailto:research@xxxxxxxxxxxxx>
        [http://www.nccgroup.com/_client/images/global/NGS%20Secure.jpg]  
<http://www.ngssecure.com/>
________________________________

This email is sent for and on behalf of NGS Secure Limited (Registered in 
England CRN: 04474600). The ultimate holding company is NCC Group plc 
(Registered in England CRN: 4627044). Registered Office: Manchester Technology 
Centre, Oxford Road, Manchester, M1 7EF

Confidentiality: This e-mail contains proprietary information, some or all of 
which may be confidential and/or legally privileged. It is for the intended 
recipient only. If an addressing or transmission error has misdirected this 
e-mail, please notify the author by replying to this e-mail and then delete the 
original. If you are not the intended recipient you may not use, disclose, 
distribute, copy, print or rely on any information contained in this e-mail. 
You must not inform any other person other than NCC Group or the sender of its 
existence.

For more information about NGS Secure please visit 
www.ngssecure.com<http://www.ngssecure.com>

P Before you print think about the ENVIRONMENT

Prev by Date: iDefense Security Advisory 03.21.11: Apple OfficeImport Framework Excel Memory Corruption Vulnerability
Next by Date: CMS Balitbang 3.3 Arbitary File Upload Vulnerability
Previous by thread: iDefense Security Advisory 03.21.11: Apple OfficeImport Framework Excel Memory Corruption Vulnerability
Next by thread: CMS Balitbang 3.3 Arbitary File Upload Vulnerability
Index(es):
- Date
- Thread