| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 May 2015 00:30:26 -0400
From: Lee <ler762@...il.com>
To: Melchior Limacher <mli@...tect7.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] IKE Aggressive Mode Downgrade Attack?
On 4/30/15, Melchior Limacher <mli@...tect7.com> wrote:
> Hello
>
>
> I was reading about "ike aggressive mode with pre shared key"
> (CVE-2002-1623).
>
> As described by cisco
> (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_security_notice09186a008016b57f.html),
> this is still an issue
> "When responding to IPSec session initialization, Cisco IOS(r) software
> may use Aggressive Mode even if it has not been explicitly configured
> to do so. Cisco IOS software initially tries to negotiate using Main
> Mode but, failing that, resorts to Aggressive Mode."
>
> Are there known downgrade attacks? Counter-Measures?
crypto isakmp aggressive-mode disable
should be the counter-measure.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-c4.html#wp7822516900
To block all Internet Security Association and Key Management
Protocol (ISAKMP)
aggressive mode requests to and from a device, use the
crypto isakmp aggressive-mode disable
command in global configuration mode.
Regards,
Lee
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists