Juniper Netscreen VPN Username Enumeration Vulnerability
Juniper Netscreen VPN Username Enumeration Vulnerability
1. Overview
NTA Monitor has discovered a VPN username enumeration vulnerability in the
Juniper Netscreen integrated Firewall/VPN products while performing a VPN
security test for a customer.
The vulnerability affects remote access VPNs (known as "Dialup VPNs" in
ScreenOS) using IKE with pre-shared key authentication. Certificate
authentication is not affected, nor is manual key authentication. In
practice, we find that most Netscreen systems are configured for remote
access with pre-shared key authentication (called "AutoKey IKE with
Preshared keys" in ScreenOS), so this bug will affect the majority of users.
The vulnerability allows an attacker to use a dictionary attack to
determine valid VPN usernames on the Netscreen. Once a valid username is
discovered, the attacker can then use this to obtain a hash from the
Netscreen, which can then be cracked offline to determine the associated
password.
Once an attacker has a valid username and password, they can potentially
gain access to the resources protected by the VPN.
If XAUTH is used as a second-level of authentication, it is possible to
mount a Man-in-the-Middle (MitM) attack against the XAUTH user
authentication mechanism. This allows the attacker to snoop on VPN
traffic, alter VPN traffic, or gain access to the network protected by the VPN.
2. Vulnerability Details
The vulnerability allows an attacker to enumerate valid usernames (IKE IDs)
on a Juniper Netscreen through either a dictionary attack, or a brute-force
attack. The issue exists because the IKE implementation in Netscreen's
ScreenOS responds to valid usernames differently to the way in which it
responds to invalid usernames.
The exploit involves sending an IKE Aggressive Mode packet with the
username to be tested in the Identity (ID) payload. If the specified
username is valid, the Netscreen system will respond; if it is not valid,
then it will not respond. The ike-scan tool can be used to demonstrate
this vulnerability.
The issue only occurs in IKE Aggressive Mode; IKE Main Mode is not
vulnerable. However, remote access users using pre-shared key
authentication must use Aggressive Mode due to limitations in the IKE
protocol. This means that all remote access users using pre-shared key
authentication on vulnerable versions of ScreenOS are affected.
The username guessing rate depends on the bandwidth between the attacker's
system and the Netscreen. Because most of the usernames tried will be
incorrect, and therefore the Netscreen won't respond, it's only the
bandwidth from the attacker to the Netscreen that matters; the bandwidth
from the Netscreen back to the attacker is not important.
An IKE aggressive mode packet with a single transform, using Diffie-Hellman
group 2, and having an eight character username has an IKE packet size of
256 bytes. Adding the eight byte UDP header and 20 byte IP header gives a
total size of 284 bytes or 2,272 bits. Assuming a link speed of
2Mbits/sec, this gives a guessing rate of 2,000,000 / 2,272 = 880 guesses
per second.
A guessing rate of 880 per second is 3,168,000 per hour or 76,032,000 per
day. This rate is sufficient to perform an extensive dictionary attack, or
a limited brute-force attack. The Netscreen does not limit the username
guessing rate, nor does it blacklist hosts that perform username
enumeration: in tests, it was possible to get a successful response to a
valid username immediately after thousands of incorrect attempts.
Once a valid username is obtained, it is possible to use this to obtain a
hash from the Netscreen, and mount an offline password-guessing attack
against this hash to obtain the password. Because the password-guessing
process is offline, it is fast (many hundreds of thousands of guesses per
second), and will not cause the Netscreen to log any authentication failures.
A valid username and password allows the attacker to complete IKE Phase-1
and establish an ISAKMP SA to the Netscreen. For normal IKE users, this
allows the attacker to gain access to the resources protected by the
VPN. If the VPN user is configured to use XAUTH as a second level of
authentication, the attacker can mount a Man-in-the-Middle (MitM) attack
against this second-stage user-authentication process.
The offline password guessing process and MitM attack against XAUTH are
both detailed in the VPN flaws whitepaper at
http://www.nta-monitor.com/news/vpn-flaws/VPN-Flaws-Whitepaper.pdf.
3. Example
The example below shows the two different Netscreen responses: the first is
for the valid username "finance", and the second is for the invalid
username "administration". We see that the Netscreen responds to the valid
username, but not to the invalid one. Because of this difference in
behaviour, it is possible to determine whether a given username is valid or
not.
The ike-scan options used in this example are:
-A Specify IKE Aggressive Mode. The default for ike-scan is
Main Mode.
-M Multiline: Display each payload on a separate line, which
makes the output easier to read.
--id=string Specify the string to be used for the ID payload.
10.0.0.1 The IP address of the target Netscreen.
3.1. Response to valid username "royhills@xxxxxxxxxxx"
$ ike-scan -A -M --id=royhills@xxxxxxxxxxx 10.0.0.1
Starting ike-scan 1.7.7 with 1 hosts (http://www.nta-monitor.com/ike-scan/)
10.0.0.1 Aggressive Mode Handshake returned
HDR=(CKY-R=21af4dbe2cecd5f0)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds
LifeDuration=28800)
VID=64405f46f03b7660a23be116a1975058e69e83870000000400000403
(Netscreen-05)
VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_IPV4_ADDR, Value=10.0.0.1)
Hash(20 bytes)
Ending ike-scan 1.7.7: 1 hosts scanned in 0.136 seconds (7.37 hosts/sec). 1
returned handshake; 0 returned notify
3.2. Response to invalid username "invalid@xxxxxxxxxxx"
$ ike-scan -A -M --id=invalid@xxxxxxxxxxx 10.0.0.1
Starting ike-scan 1.7.7 with 1 hosts (http://www.nta-monitor.com/ike-scan/)
Ending ike-scan 1.7.7: 1 hosts scanned in 2.467 seconds (0.41 hosts/sec). 0
returned handshake; 0 returned notify
4. Affected Versions
The issue is believed to affect all models of Juniper Netscreen running all
ScreenOS software versions up to 5.2.0.
5. Solution
Use certificate authentication rather than pre-shared key authentication.
6. Timeline
The vulnerability was reported to Juniper on 21st June 2005.
7. References
NTA Monitor
advisory
http://www.nta-monitor.com/news/vpn-flaws/juniper/netscreen/index.htm
8. Other Information
This is one of the classes of vulnerability discussed in the VPN flaws
whitepaper, which was released in January 2005.
--
Roy Hills Tel: +44 1634 721855
NTA Monitor Ltd FAX: +44 1634 721844
14 Ashford House, Beaufort Court,
Medway City Estate, Email: Roy.Hills@xxxxxxxxxxxxxxx
Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/