SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Device (Encryption/VPN)  >   Cisco VPN 3000 Concentrator Vendors:   Cisco
(Cisco Issues Revised Fix) Cisco VPN 3000 Lets Remote Users Determine Valid Groupnames
SecurityTracker Alert ID:  1014289
SecurityTracker URL:  http://securitytracker.com/id/1014289
CVE Reference:   CVE-2005-2025   (Links to External Site)
Updated:  Apr 19 2006
Original Entry Date:  Jun 24 2005
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 4.1.7.G
Description:   A vulnerability was reported in the Cisco VPN 3000 concentrators. A remote user can determine valid groupnames.

When groupname authentication is used, the system provides a different response to a connection request with a valid groupname than it does with an invalid groupname. A remote user can connect to the target system repeatedly and send an IKE Aggressive Mode packet using different groupnames to attempt to determine valid groupnames. The system will respond only to packets with a valid groupname.

Site-to-site VPNs and remote access VPNs using certificate authentication are not affected.

Cisco has assigned Cisco Bug ID CSCeg00323 ("vpn3k - inconsistent behavior on scanning") and CSCsb38075 to this vulnerability.

The vendor was notified on September 20, 2004.

Roy Hills from NTA Monitor reported this vulnerability.

The original advisory is available at:

http://www.nta-monitor.com/news/vpn-flaws/cisco/VPN-Concentrator/index.htm
Impact:   A remote user can determine valid groupnames on the target device.
Solution:   The vendor has released a fixed version (4.1.7.G).

The vendor's advisory is available at:

http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml

[Editor's note: Cisco originally reported that the fix was included in 4.1.7.F but issued an update to their advisory on April 19, 2006 indicating that the first version containing the fix is 4.1.7.G.]
Vendor URL:  www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml (Links to External Site)
Cause:   State error
Underlying OS:  

Message History:   This archive entry is a follow-up to the message listed below.
Jun 20 2005 Cisco VPN 3000 Lets Remote Users Determine Valid Groupnames


 Source Message Contents
Date:  Friday, 24 Jun 2005 09:20:00 -0400
Subject:  Cisco Security Notice: Cisco IPSec VPN Implementation Group Name Enumeration Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cisco Security Notice: Cisco IPSec VPN Implementation Group Name
Enumeration Vulnerability

Revision 1.0

For Public Release 2005 June 24 1300 UTC (GMT)

- ---------------------------------------------------------------------

Contents
========

    Summary
    Details
    Affected Products
    Software Versions and Fixes
    Obtaining Fixed Software
    Workarounds and Mitigation
    Acknowledgment
    Status of This Notice: FINAL
    Revision History
    Cisco Security Procedures
    Related Information

- ---------------------------------------------------------------------

Summary
=======

This Cisco Security Notice is being released in response to the Cisco
VPN Concentrator Group Name Enumeration Vulnerability advisory
published on June 20, 2005 by NTA Monitor at
http://www.nta-monitor.com/news/vpn-flaws/cisco/VPN-Concentrator/index.htm

Cisco has made free software available to address this vulnerability.

This security notice is posted at
http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml

Details
=======

This vulnerability allows an attacker to discover which group names are
configured and valid on a VPN 3000 Concentrator. It only affects
customers using a PSK (pre-shared key) for group authentication in a
remote access VPN scenario. Site-to-site VPNs (either using a PSK or
certificates), customers using remote access VPNs with certificates, or
customers using the VPN 3000 Concentrator feature called 'Mutual Group
Authentication' are not affected by this vulnerability.

The vulnerability resides in the way the VPN 3000 Concentrator responds
to IKE Phase I messages in Aggressive Mode. If the group name in the
IKE message was a valid group name, the VPN Concentrator would reply to
the IKE negotiation, while an invalid group name will not elicit a
response.

Once a valid group name has been identified, the attacker can use the
information contained in the reply packet sent by the VPN Concentrator
to mount an off-line attack and try to discover the PSK used for group
authentication. If the off-line attack is successful and the PSK is
recovered, the information could then be used to attempt a MiTM
(Man-in-the-Middle) attack against sessions being initiated by remote
VPN clients towards the VPN Concentrator.

This issue is documented as Bug ID CSCeg00323 (registered customers
only).

Affected Products
=================

Vulnerable Products
+------------------

The following products are affected by this vulnerability:

  * VPN 3000 Concentrators (models 3005, 3015, 3020, 3030, 3060, and
    3080) running any software version earlier than v4.1.7F or v4.7.1

No other Cisco products are currently known to be affected by this
vulnerability.

Software Versions and Fixes
===========================

When considering software upgrades, please also consult 
http://www.cisco.com/en/US/products/products_security_advisories_listing.html
and any subsequent advisories to determine exposure and a complete
upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") for assistance.

Each row of the products table (below) lists the earliest possible
release that contains the fix (the "First Fixed Release") and the
anticipated date of availability. A product running a release that is
earlier than the listed release (less than the First Fixed Release) is
known to be vulnerable. The product should be upgraded at least to the
indicated release or a later release (greater than or equal to the
First Fixed Release label.)

+----------------------------------------+
|              |  Affected  |   First    |
|   Product    |  version   |   Fixed    |
|              |            |  Release   |
|--------------+------------+------------|
| Cisco VPN    | all        |            |
| 3000         | versions   | 4.1.7F -   |
| Concentrator | earlier    | available  |
| family       | than       | now on CCO |
|              | 4.1.7F     |            |
|--------------+------------+------------|
| Cisco VPN    |            | 4.7.1 -    |
| 3000         | 4.7.Rel    | available  |
| Concentrator |            | now on CCO |
| family       |            |            |
+----------------------------------------+

Obtaining Fixed Software
========================

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com/.

Customers using Third-party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreement with third-party support organizations such as
Cisco Partners, authorized resellers, or service providers should
contact that support organization for assistance with the upgrade,
which should be free of charge.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@cisco.com

Please have your product serial number available and give the URL of
this notice as evidence of your entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the TAC.

Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.

Customers may only install and expect support for the feature sets they
have purchased. By installing, downloading, accessing or otherwise
using such software upgrades, customers agree to be bound by the terms
of Cisco's software license terms found at 
http://www.cisco.com/public/sw-license-agreement.html, 
or as otherwise set forth at Cisco.com Downloads at 
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Workarounds and Mitigation
==========================

The effectiveness of any workaround is dependent on specific customer
situations such as product mix, network topology, traffic behavior, and
organizational mission. Due to the variety of affected products and
releases, customers should consult with their service provider or
support organization to ensure any applied workaround is the most
appropriate for use in the intended network before it is deployed.

There is no specific workaround to prevent the discovery of valid group
names on affected software versions using a PSK as authentication
mechanism in remote access scenarios.

Customers concerned about secondary exploitation (off-line PSK
recovery, MiTM attacks) can apply the following mitigation strategies:

  * Use strong passwords as PSK for group authentication and change
    them frequently. This is the most effective way to mitigate
    dictionary attacks. The VPN Concentrator accepts passwords from 4
    to 32 characters in length, including combinations of uppercase/
    lowercase letters, numbers, and additional characters (excluding '\
    ' and '@').
  * Deploy a feature called 'Mutual Group Authentication'. Additional
    information about this feature can be found in the 'Related
    information' section of this document.

Acknowledgment
==============

Cisco would like to thank NTA-Monitor for their cooperation on this
issue.

Status of This Notice: FINAL
============================

This is a final notice. Although Cisco cannot guarantee the accuracy of
all statements in this notice, all of the facts have been checked to
the best of our ability. Cisco does not anticipate issuing updated
versions of this notice unless there is some material change in the
facts. Should there be a significant change in the facts, Cisco may
update this notice.

A stand-alone copy or paraphrase of the text of this security notice
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Revision History
================

+----------------------------------------+
| Revision |              | Initial      |
| 1.0      | 2005-June-24 | public       |
|          |              | release.     |
+----------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at 
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco 
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

- ---------------------------------------------------------------------

Related Information
===================

  * NTA-Monitor advisory - 
    http://www.nta-monitor.com/news/vpn-flaws/cisco/VPN-Concentrator/index.htm
  * Mutual Group Authentication - VPN Client 4.0.5 release notes - 
    http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel405/
    405clnt.htm#wp1375735
  * Mutual Group Authentication - VPN Client 4.6 Admin guide - http://
    www.cisco.com/univercd/cc/td/doc/product/vpn/client/4_6/admin/
    vcach1.htm#wp1158315

- ---------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQrwGi3sxqM8ytrWQEQLSRgCgzk0s9tS6kauCIHqDoeeictjBNCoAnRYn
Kg3eGk30eIHaE0oRaxq1UeEO
=/5C5
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC