<<< Date Index >>>     <<< Thread Index >>>

Cisco Security Notice: Cisco IPsec VPN Implementation Group Password Usage Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

   Cisco Security Notice: Cisco IPsec VPN Implementation Group Password Usage
                                 Vulnerability

Revision 1.0

  For Public Release 2004 April 15 1600 UTC (GMT)

     ----------------------------------------------------------------------

Contents

     Summary
     Details
     Workarounds
     Status of This Notice: INTERIM
     Revision History
     Cisco Security Procedures
     Related Information

     ----------------------------------------------------------------------

Summary

   This Security Notice is being released due to the new information received
   by Cisco PSIRT regarding the Cisco IPsec VPN implementation, Group
   Password Usage Vulnerability.

   This is also a follow-up to an email thread that appeared on the Bugtraq
   mailing list in December 2003 which can be found at
   http://www.securityfocus.com/archive/1/347351.

   This notice will be posted at
   http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml.

Details

   Proof of Concept code now exists for:

     * Recovering the Group Password - The Group Password used by the Cisco
       Internet Protocol Security (IPsec) virtual private network (VPN)
       client is scrambled on the hard drive, but unscrambled in memory. This
       password can now be recovered on both the Linux and Microsoft Windows
       platform implementations of the Cisco IPsec VPN client. This
       vulnerability is documented in the Cisco Bug Toolkit as Bug ID
       CSCed41329 (registered customers only) .
          * The Linux implementation vulnerability was reported by Karl
            Gaissmaier, University of Ulm, Germany.
          * The Microsoft Windows implementation vulnerability was reported
            by Jonas Eriksson and Nicholas Kathmann.
     * Man In The Middle (MITM) attack to emulate a VPN head end server for
       stealing valid user names and passwords or hijacking connections using
       a previously recovered Group Password - This vulnerability exists
       whenever Group Passwords are used as the pre-shared key during
       Internet Key Exchange (IKE) Phase 1 in the XAUTH protocol. The user
       name and password in XAUTH are transmitted over the network only
       encrypted by the Phase 1 IKE security association (SA) which in this
       case are derived from the Group Password. Anyone in possession of the
       Group Passwords will have the ability to either hijack a connection
       from a valid user, or pose as a VPN head end for stealing user names
       and passwords.

   In the e-mail thread on Bugtraq, it was mentioned that Cisco may be
   looking at implementing Challenge/Response Authentication of Cryptographic
   Keys (CRACK) as an alternate to XAUTH. This information was incorrect and
   Cisco does not plan to implement the CRACK authentication method.

   Cisco is working on implementing IKEv2 with an estimated release date in
   the fourth quarter of the calendar year 2005.

   For the Cisco VPN 3000 Concentrator, Cisco VPN Client (software client)
   and Cisco VPN 3002 Hardware Client, Cisco is in the process of
   implementing a feature which is based on the expired IETF draft 'A Hybrid
   Authentication Mode for IKE' published in August of 2000.

   Cisco's solution extends the Hybrid Auth model by additionally requiring a
   group pre-shared key for VPN group identification. The group pre-shared
   key will be used solely to associate users with their appropriate VPN
   groups, followed by the XAUTH exchange that will then authenticate the
   user.

   The MITM attack vulnerability described in this document will no longer be
   possible because of the additional digital signature that will bind the
   keying material to the Cisco VPN 3000 Concentrator's digital certificate.

   This feature is estimated to ship in the third quarter of the calendar
   year 2004.

   Hybrid Authentication mode is a two stage process that allows the
   asymmetric use of digital certificates between the client and the head end
   server. The first stage is used to authenticate the head end server by the
   client and is based on the IKE Phase 1 exchange where in the client
   verifies the authenticity of the head end server's certificate. The second
   stage authenticates the client by the head end server and is based on a
   Transaction Exchange (IKECFG) using the mechanism described in the XAUTH
   protocol. Pre-shared keys are not used.

Workarounds

   No workarounds exist for the vulnerabilities documented in this Notice.

   To avoid the potential exploitation because of these vulnerabilities Cisco
   PSIRT recommends customer deploy Public Key Infrastructure (PKI) and
   carefully evaluate the risks of deploying Group Password based
   authentication schemes.

Status of This Notice: INTERIM

   This is an interim notice. Although Cisco cannot guarantee the accuracy of
   all statements in this notice, all of the facts have been checked to the
   best of our ability. Cisco does not anticipate issuing updated versions of
   this notice unless there is some material change in the facts. Should
   there be a significant change in the facts, Cisco may update this notice.
   Any estimated dates set forth in this notice are subject to change without
   advance notice.
   
   A stand-alone copy or paraphrase of the text of this security notice that
   omits the distribution URL in the following section is an uncontrolled
   copy, and may lack important information or contain factual errors.

Revision History

   +------------------------------------------+
   |Revision 1.0|2004-April-15|Initial public |
   |            |             |release.       |
   +------------------------------------------+

Cisco Security Procedures

   Complete information on reporting security vulnerabilities in Cisco
   products, obtaining assistance with security incidents, and registering to
   receive security information from Cisco, is available on Cisco's worldwide
   website at
   http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
   includes instructions for press inquiries regarding Cisco security
   notices. All Cisco security advisories are available at
   http://www.cisco.com/go/psirt.

     ----------------------------------------------------------------------

Related Information

     * SAFE VPN IPsec Virtual Private Networks in Depth -
       
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801dca2d.shtml
       - refer to the Identity and IPSec Access Control under Architecture
       Overview section.
     * Deploying Cisco IOS Security with a Public-Key Infrastructure -
       http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/pkdpy_wp.htm
     * A Hybrid Authentication Mode for IKE -
       
http://www.ietf.org/proceedings/00dec/I-D/draft-ietf-ipsec-isakmp-hybrid-auth-05.txt
     * Cisco Response to Internet Key Exchange Issue -
       http://www.cisco.com/warp/public/707/cisco-sn-20030422-ike.html

     ----------------------------------------------------------------------

   All contents are Copyright (c) 1992-2004 Cisco Systems, Inc. All rights
   reserved. Important Notices and Privacy Statement.

   --------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Comment: Sharad Ahlawat, sha@xxxxxxxxx, Cisco Systems PSIRT

iD8DBQFAfr1qezGozzK2tZARApjwAKCRs2ERzepFQ8KfOd5Tp7FUCCSZZwCg4Bg2
XlQPAKnRJZxvP124AobA46g=
=qtsi
-----END PGP SIGNATURE-----