Re: Multiple vulnerabilites in vendor IKE implementations, including Cisco,
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is in response to the mail posted by Thor Lancelot Simon. The original
mail is available at http://www.securityfocus.com/archive/1/347351 in which
Thor has listed two issues. Documented below is Cisco's response to them.
Issue #1: Cisco addressed this issue as part of CSCdw87717 wherein the Cert
Domain Name verification feature was implemented. This issue has been
documented under the Cisco security advisory
http://www.cisco.com/warp/public/707/vpnclient-multiple2-vuln-pub.shtml.
Issue #2: This is a widely known common aspect of the Pre Shared Keys (PSK)
authentication mechanism since 1999. With PSK, there is no way for a client
to identify what is on the other side of the connection except that the other
side has the same PSK.
The use of Digital Certificates as part of PKI for authentication or per user
PSK are the only current solution to this aspect of using PSKs. It is a
choice which network administrators must make between ease of use versus
stronger security.
Additionally, there is another IETF draft specification that Cisco is in the
process of evaluating, for its VPN 3000 product line, called CRACK (Challenge
Response Authentication of Cryptographic Keys). More information available at
http://www.nwfusion.com/links/Encyclopedia/C/722.html. Cisco is incorporating
this authentication scheme in an upcoming release for the Cisco VPN 3000
series concentrators. The Cisco VPN client should be supporting it in the
future.
Brgds,
Sharad
- --
Sharad Ahlawat
Cisco Product Security Incident Response Team (PSIRT)
http://www.cisco.com/go/psirt
Phone:+1 (408) 527-6087
PGP-key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC12A996C
-----BEGIN PGP SIGNATURE-----
Comment: PGP Signed by Sharad Ahlawat
iD8DBQE/2p9aGoGomMEqmWwRAmM+AJ97lW3LdYAW4WN0LMbx/FN5rkdf+QCdFQ6U
WBbCX0je3eQKjv7IuzHZRHQ=
=abwG
-----END PGP SIGNATURE-----