=======
Summary
=======
Name: Cisco IPSec VPN Implementation Group Name Enumeration
Release Date: 22 March 2011
Reference: NGS00014
Discoverer: Gavin Jones
Vendor: Cisco
Vendor Reference: CSCei51783, CSCtj96108
Systems Affected: ASA 5500 Series Adaptive Security Appliances -Cisco PIX 500 Series Security Appliances -Cisco VPN 3000 Series Concentrators (models 3005, 3015, 3020, 3030, 3060, and 3080)
Risk: Low
Status: Published

========
TimeLine
========
Discovered: 20 March 2009
Released:  8 November 2010
Approved:  8 November 2010
Reported:  8 November 2010
Fixed:  1 December 2010
Published: 22 March 2011

===========
Description
===========
Due to the device(s) returning differing responses to IKE requests it is possible to enumerate valid group names from the VPN device(s).  With the correct group name the pre-shared key can then be captured and a brute-force attack carried out off-line.

=================
Technical Details
=================
This output shows an aggressive query against the device specifying an invalid group:

Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)

10.1.0.1   Aggressive Mode Handshake returned
     HDR=(CKY-R=d508a1efacad8015)
     SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
     KeyExchange(128 bytes)
     Nonce(20 bytes)
     ID(Type=ID_FQDN, Value=Pix.domain.com)
     Hash(20 bytes)
     VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
     VID=09002689dfd6b712 (XAUTH)
     VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
     VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)

Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.62 hosts/sec).  1
returned handshake; 0 returned notify

The above request is then repeated with a valid group name and as can be seen the response is different:

Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)
10.1.0.1   Aggressive Mode Handshake returned
     HDR=(CKY-R=4fa4cf45d5039335)
     SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
     KeyExchange(128 bytes)
     Nonce(20 bytes)
     ID(Type=ID_FQDN, Value=Pix.domain.com)
     Hash(20 bytes)
     VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
     VID=09002689dfd6b712 (XAUTH)
     VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
     VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
     VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)

Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.19 hosts/sec).  1
returned handshake; 0 returned notify

As can be seen above, the request with the valid group name has an additional field contained in the response:

VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

By checking the responses for this additional VID it is possible to enumerate the valid group name.

This has been replicated in testing against a number of PIX based devices and with the valid group name the PSK can then be collected and cracked using psk-crack.

===============
Fix Information
===============
Cisco has released a patch that addresses the issue. The announcement of this patch can be found here:

http://www.cisco.com/en/US/products/products_security_response09186a0080b5992c.html

Patches can be downloaded from Cisco's online support portal at:

http://www.cisco.com


NGS Secure Research
http://www.ngssecure.com
________________________________

Research@NGSSecure

NGS Secure

,

Telephone:
Mobile:
Fax:
Website: www.ngssecure.com<http://www.ngssecure.com>
Email:  research@NGSSecure.com<mailto:research@NGSSecure.com>
        [http://www.nccgroup.com/_client/images/global/NGS%20Secure.jpg]  <http://www.ngssecure.com/>
________________________________

This email is sent for and on behalf of NGS Secure Limited (Registered in England CRN: 04474600). The ultimate holding company is NCC Group plc (Registered in England CRN: 4627044). Registered Office: Manchester Technology Centre, Oxford Road, Manchester, M1 7EF

Confidentiality: This e-mail contains proprietary information, some or all of which may be confidential and/or legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail and then delete the original. If you are not the intended recipient you may not use, disclose, distribute, copy, print or rely on any information contained in this e-mail. You must not inform any other person other than NCC Group or the sender of its existence.

For more information about NGS Secure please visit www.ngssecure.com<http://www.ngssecure.com>

P Before you print think about the ENVIRONMENT