lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <IDECJHBKJLKLGCFFIDNMCEGGCPAA.scott.register@us.checkpoint.com>
From: scott.register at us.checkpoint.com (Scott Walker Register)
Subject: Check Point statement on use of IKE Aggressive Mode


A document has recently been published alleging vulnerabilities in the Check
Point VPN-1/FireWall-1 product, involving the use of SecuRemote/SecureClient
and IKE Aggressive mode.  Check Point does not recommend the use of IKE
Aggressive Mode, because of many well-known limitations in the protocol, and
the Check Point products offer much more secure alternatives.

In the vulnerability claim document, two issues were presented:
  1) usernames are passed in cleartext using IKE Aggressive Mode
  2) usernames are susceptible to brute-force guessing when using IKE
Aggressive Mode

The first item is merely an accurate description of the IKE protocol. Check
Point has no bug or vulnerability, but has correctly implemented the IKE
standard for Aggressive Mode.  The passing of usernames in cleartext is
common to any vendors of IKE products who support Aggressive Mode.  The
claim of a vulnerability is incorrect.

Because of such well-known weaknesses in the IKE Aggressive Mode standard,
Check Point authored and published an extension called Hybrid Mode which
allows the secure use of all supported authentication schemes (e.g., RADIUS
or TACACS) without sending usernames in cleartext.  This extension has been
incorporated in the product since the 4.1 SP1 release (February 2000), with
hybrid mode recommended over Aggressive Mode for enhanced security.

The second item exists only in VPN-1/FireWall-1 v4.1 modules which are still
configured to support SecuRemote/SecureClient connections using IKE
Aggressive Mode, despite the availability of more secure options in the
product.  Note, again, that the guessable usernames in this scenario are, by
design of the IKE protocol, sent in cleartext.  By default, Aggressive Mode
is not enabled in NG.  In 4.1, the recommended configuration is to disable
Aggressive Mode and use Hybrid Mode instead (which involves no change to the
user experience).

Scott Walker Register
FireWall-1 Product Manager
Check Point Software Technologies, Inc.
ph: 561.989.5418  fax: 561.997.9392


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ