[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7E45577E4E72EC42BB3F8560D57E75511CC93D@manexchprd01>
Date: Tue, 22 Mar 2011 09:14:41 +0000
From: "Research@...Secure" <research@...secure.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: NGS00014 Technical Advisory: Cisco IPSec VPN Implementation Group
Name Enumeration
=======
Summary
=======
Name: Cisco IPSec VPN Implementation Group Name Enumeration
Release Date: 22 March 2011
Reference: NGS00014
Discoverer: Gavin Jones
Vendor: Cisco
Vendor Reference: CSCei51783, CSCtj96108
Systems Affected: ASA 5500 Series Adaptive Security Appliances -Cisco PIX 500 Series Security Appliances -Cisco VPN 3000 Series Concentrators (models 3005, 3015, 3020, 3030, 3060, and 3080)
Risk: Low
Status: Published
========
TimeLine
========
Discovered: 20 March 2009
Released: 8 November 2010
Approved: 8 November 2010
Reported: 8 November 2010
Fixed: 1 December 2010
Published: 22 March 2011
===========
Description
===========
Due to the device(s) returning differing responses to IKE requests it is possible to enumerate valid group names from the VPN device(s). With the correct group name the pre-shared key can then be captured and a brute-force attack carried out off-line.
=================
Technical Details
=================
This output shows an aggressive query against the device specifying an invalid group:
Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)
10.1.0.1 Aggressive Mode Handshake returned
HDR=(CKY-R=d508a1efacad8015)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_FQDN, Value=Pix.domain.com)
Hash(20 bytes)
VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
VID=09002689dfd6b712 (XAUTH)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)
Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.62 hosts/sec). 1
returned handshake; 0 returned notify
The above request is then repeated with a valid group name and as can be seen the response is different:
Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)
10.1.0.1 Aggressive Mode Handshake returned
HDR=(CKY-R=4fa4cf45d5039335)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_FQDN, Value=Pix.domain.com)
Hash(20 bytes)
VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)
Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.19 hosts/sec). 1
returned handshake; 0 returned notify
As can be seen above, the request with the valid group name has an additional field contained in the response:
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
By checking the responses for this additional VID it is possible to enumerate the valid group name.
This has been replicated in testing against a number of PIX based devices and with the valid group name the PSK can then be collected and cracked using psk-crack.
===============
Fix Information
===============
Cisco has released a patch that addresses the issue. The announcement of this patch can be found here:
http://www.cisco.com/en/US/products/products_security_response09186a0080b5992c.html
Patches can be downloaded from Cisco's online support portal at:
http://www.cisco.com
NGS Secure Research
http://www.ngssecure.com
________________________________
Research@...Secure
NGS Secure
,
Telephone:
Mobile:
Fax:
Website: www.ngssecure.com<http://www.ngssecure.com>
Email: research@...Secure.com<mailto:research@...Secure.com>
[http://www.nccgroup.com/_client/images/global/NGS%20Secure.jpg] <http://www.ngssecure.com/>
________________________________
This email is sent for and on behalf of NGS Secure Limited (Registered in England CRN: 04474600). The ultimate holding company is NCC Group plc (Registered in England CRN: 4627044). Registered Office: Manchester Technology Centre, Oxford Road, Manchester, M1 7EF
Confidentiality: This e-mail contains proprietary information, some or all of which may be confidential and/or legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail and then delete the original. If you are not the intended recipient you may not use, disclose, distribute, copy, print or rely on any information contained in this e-mail. You must not inform any other person other than NCC Group or the sender of its existence.
For more information about NGS Secure please visit www.ngssecure.com<http://www.ngssecure.com>
P Before you print think about the ENVIRONMENT
Powered by blists - more mailing lists