what you don't know can hurt you

Cisco IPSec VPN Implementation Group Name Enumeration

Cisco IPSec VPN Implementation Group Name Enumeration
Posted Mar 22, 2011
Authored by Gavin Jones | Site ngssecure.com

The Cisco IPSec VPN implementation suffers from a group name enumeration vulnerability. Systems affected include the ASA 5500 Series Adaptive Security Appliances, Cisco PIX 500 Series Security Appliances, Cisco VPN 3000 Series Concentrators.

tags | advisory
systems | cisco
MD5 | ad15c4c9fa7a2b80ba090d2cc11b6ecd

Cisco IPSec VPN Implementation Group Name Enumeration

Change Mirror Download
=======
Summary
=======
Name: Cisco IPSec VPN Implementation Group Name Enumeration
Release Date: 22 March 2011
Reference: NGS00014
Discoverer: Gavin Jones
Vendor: Cisco
Vendor Reference: CSCei51783, CSCtj96108
Systems Affected: ASA 5500 Series Adaptive Security Appliances -Cisco PIX 500 Series Security Appliances -Cisco VPN 3000 Series Concentrators (models 3005, 3015, 3020, 3030, 3060, and 3080)
Risk: Low
Status: Published

========
TimeLine
========
Discovered: 20 March 2009
Released: 8 November 2010
Approved: 8 November 2010
Reported: 8 November 2010
Fixed: 1 December 2010
Published: 22 March 2011

===========
Description
===========
Due to the device(s) returning differing responses to IKE requests it is possible to enumerate valid group names from the VPN device(s). With the correct group name the pre-shared key can then be captured and a brute-force attack carried out off-line.

=================
Technical Details
=================
This output shows an aggressive query against the device specifying an invalid group:

Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)

10.1.0.1 Aggressive Mode Handshake returned
HDR=(CKY-R=d508a1efacad8015)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_FQDN, Value=Pix.domain.com)
Hash(20 bytes)
VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
VID=09002689dfd6b712 (XAUTH)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)

Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.62 hosts/sec). 1
returned handshake; 0 returned notify

The above request is then repeated with a valid group name and as can be seen the response is different:

Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)
10.1.0.1 Aggressive Mode Handshake returned
HDR=(CKY-R=4fa4cf45d5039335)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_FQDN, Value=Pix.domain.com)
Hash(20 bytes)
VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)

Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.19 hosts/sec). 1
returned handshake; 0 returned notify

As can be seen above, the request with the valid group name has an additional field contained in the response:

VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

By checking the responses for this additional VID it is possible to enumerate the valid group name.

This has been replicated in testing against a number of PIX based devices and with the valid group name the PSK can then be collected and cracked using psk-crack.

===============
Fix Information
===============
Cisco has released a patch that addresses the issue. The announcement of this patch can be found here:

http://www.cisco.com/en/US/products/products_security_response09186a0080b5992c.html

Patches can be downloaded from Cisco's online support portal at:

http://www.cisco.com


NGS Secure Research
http://www.ngssecure.com
________________________________

Research@NGSSecure

NGS Secure

,

Telephone:
Mobile:
Fax:
Website: www.ngssecure.com<http://www.ngssecure.com>
Email: research@NGSSecure.com<mailto:research@NGSSecure.com>
[http://www.nccgroup.com/_client/images/global/NGS%20Secure.jpg] <http://www.ngssecure.com/>
________________________________

This email is sent for and on behalf of NGS Secure Limited (Registered in England CRN: 04474600). The ultimate holding company is NCC Group plc (Registered in England CRN: 4627044). Registered Office: Manchester Technology Centre, Oxford Road, Manchester, M1 7EF

Confidentiality: This e-mail contains proprietary information, some or all of which may be confidential and/or legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail and then delete the original. If you are not the intended recipient you may not use, disclose, distribute, copy, print or rely on any information contained in this e-mail. You must not inform any other person other than NCC Group or the sender of its existence.

For more information about NGS Secure please visit www.ngssecure.com<http://www.ngssecure.com>

P Before you print think about the ENVIRONMENT
Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close