SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Device (Encryption/VPN)  >  Cisco VPN 3000 Concentrator Vendors:  Cisco
Cisco VPN 3000 Lets Remote Users Determine Valid Groupnames
SecurityTracker Alert ID:  1014246
SecurityTracker URL:  http://securitytracker.com/id?1014246
CVE Reference:  CVE-2005-2025   (Links to External Site)
OSVDB Reference:  17405   (Links to External Site)
Updated:  Apr 19 2006
Original Entry Date:  Jun 20 2005
Impact:  Disclosure of system information
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Advisory:  Cisco Security Advisory
Version(s): prior to 4.1.7.G
Description:  A vulnerability was reported in the Cisco VPN 3000 concentrators. A remote user can determine valid groupnames.

When groupname authentication is used, the system provides a different response to a connection request with a valid groupname than it does with an invalid groupname. A remote user can connect to the target system repeatedly and send an IKE Aggressive Mode packet using different groupnames to attempt to determine valid groupnames. The system will respond only to packets with a valid groupname.

Site-to-site VPNs and remote access VPNs using certificate authentication are not affected.

Cisco has assigned Cisco Bug ID CSCeg00323 ("vpn3k - inconsistent behavior on scanning") and CSCsb38075 to this vulnerability.

The vendor was notified on September 20, 2004.

Roy Hills from NTA Monitor reported this vulnerability.

The original advisory is available at:

http://www.nta-monitor.com/news/vpn-flaws/cisco/VPN-Concentrator/index.ht m
Impact:  A remote user can determine valid groupnames on the target device.
Solution:  The vendor has released a fixed version (4.1.7.G).

The vendor's advisory is available at:

http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml


[Editor's note: Cisco originally reported that the fix was included in 4.1.7.F but issued an update to their advisory on April 19, 2006 indicating that the first version containing the fix is 4.1.7.G.]
Vendor URL:  www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml (Links to External Site)
Cause:  State error
Reported By:  Roy Hills <Roy.Hills@nta-monitor.com>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 24 2005 (Cisco Issues Revised Fix) Cisco VPN 3000 Lets Remote Users Determine Valid Groupnames   (Cisco Systems Product Security Incident Response Team <psirt@cisco.com>)
Cisco has released a revised advisory.


 Source Message Contents
Date:  Mon, 20 Jun 2005 11:49:11 +0100
From:  Roy Hills <Roy.Hills@nta-monitor.com>
Subject:  [Full-disclosure] Cisco VPN Concentrator Groupname Enumeration

 

Cisco VPN Concentrator Groupname Enumeration Vulnerability

1. Overview:

NTA Monitor has discovered a groupname enumeration vulnerability in the 
Cisco VPN 3000 series concentrator products while performing a VPN security 
test for a customer.

The vulnerability affects remote access VPNs with groupname 
authentication.  Site-to-site VPN operation is not affected, nor is remote 
access with certificate authentication.  In practice, we find that most 
concentrators are configured for remote access with groupname 
authentication, so this bug will affect the majority of users.

The vulnerability allows an attacker to use a dictionary attack to 
determine valid group names on the concentrator.  Once a valid group name 
is determined, the attacker can then use this to obtain a hash from the 
concentrator, which can then be cracked offline to determine the group 
password.

Once an attacker has a valid groupname and group password, they can 
potentially mount a Man-in-the-Middle (MitM) attack against the XAUTH user 
authentication mechanism.  This allows the attacker to snoop on VPN 
traffic, alter VPN traffic, or gain access to the network protected by the 
VPN.  This MitM attack works even if strong authentication such as SecurID 
is used for user authentication.

2. Vulnerability Details:

The vulnerability allows an attacker to enumerate valid groupnames on a 
Cisco VPN concentrator through either a dictionary attack, or a brute-force 
attack.  The issue exists because the concentrator responds to valid 
groupnames differently to the way in which it responds to invalid groupnames.

The exploit involves sending an IKE Aggressive Mode packet with the 
groupname to be tested in the Identity (ID) payload.  The ID Type is 11, 
which corresponds to ID_KEY_ID.  If the specified groupname is valid, the 
concentrator will respond; if it is not valid, then the concentrator will 
not respond.  The ike-scan tool can be used to demonstrate this vulnerability.

The vulnerability is present in both normal IKE over UDP, and also Cisco 
proprietary TCP-encapsulated IKE.  The ike-scan tool can use either 
transport type: for Cisco IKE in TCP, you need to specify the option 
--tcp=2.  When using TCP encapsulation, an invalid groupname causes the 
concentrator to send a TCP RST packet, which causes ike-scan to return the 
error message "recvfrom: Connection reset by peer".

The groupname guessing rate depends on the bandwidth between the attacker's 
system and the concentrator.  Because most of the group names tried will be 
incorrect, and therefore the concentrator won't respond, it's only the 
bandwidth from the attacker to the concentrator that matters; the bandwidth 
from the concentrator back to the attacker is not important.

An IKE aggressive mode packet with a single transform, using Diffie-Hellman 
group 2, and having an eight character groupname has an IKE packet size of 
256 bytes.  Adding the eight byte UDP header and 20 byte IP header gives a 
total size of 284 bytes or 2,272 bits.  Assuming a link speed of 
2Mbits/sec, this gives a guessing rate of 2,000,000 / 2,272 = 880 guesses 
per second.

A guessing rate of 880 per second is 3,168,000 per hour or 76,032,000 per 
day.  This rate is sufficient to perform an extensive dictionary attack, or 
a limited brute-force attack.  The concentrator does not limit the 
groupname guessing rate, nor does it blacklist hosts that perform groupname 
enumeration: in tests, it was possible to get a successful response to a 
valid groupname immediately after thousands of incorrect attempts.

Once a valid groupname is obtained, it is possible to use this groupname to 
obtain a hash from the concentrator, and mount an offline password-guessing 
attack against this hash to obtain the group password.  Because the 
password-guessing process is offline, it is fast (hundreds of thousands of 
guesses per second), and will not cause the concentrator to log any 
authentication failures.

A valid groupname and password allows the attacker to complete IKE Phase-1 
and establish an ISAKMP SA to the concentrator.  They can then mount a 
Man-in-the-Middle (MitM) attack against the second-stage 
user-authentication process, which is typically XAUTH.

The offline password guessing process and MitM attack against XAUTH are 
detailed in the VPN flaws whitepaper at 
http://www.nta-monitor.com/news/vpn-flaws/VPN-Flaws-Whitepaper.pdf.

3.  Example:

The example below shows the two different concentrator responses: the first 
is for the valid groupname "finance", and the second is for the invalid 
groupname "administration".  We see that the concentrator responds to valid 
groupname, but not to the invalid one.  Because of this difference in 
behaviour, it is possible to determine whether a given groupname is valid 
or not.

The ike-scan options used in this example are:

-A              Specify IKE Aggressive Mode.  The default for ike-scan is 
Main Mode.
--idtype=11     Specify ID Type 11 for the ID payload.  This corresponds to 
ID_KEY_ID.
-M              Multiline: Display each payload on a separate line, which 
makes the output easier to read.
--auth=65001    Specify authentication method 65001, which corresponds to 
XAUTH.
--id=finance    Specify the string to be used for the ID payload.
10.0.0.1        The IP address of the target VPN concentrator.

3.1.  Response to valid groupname "finance":

$ ike-scan -A --idtype=11 -M --auth=65001 --id=finance 10.0.0.1
Starting ike-scan 1.7.2 with 1 hosts (http://www.nta-monitor.com/ike-scan/)
10.0.0.1 Aggressive Mode Handshake returned
SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH LifeType=Seconds 
LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_IPV4_ADDR, Value=10.0.0.1)
Hash(16 bytes)
VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
VID=65963c60eacf802220adccf628738746
VID=1f07f70eaa6514d3b0fa96542a500400 (Cisco VPN Concentrator)

Ending ike-scan 1.7.2: 1 hosts scanned in 0.423 seconds (2.36 hosts/sec). 1 
returned handshake;
0 returned notify

3.2.  Response to invalid groupname "administration":

$ ike-scan -A --idtype=11 -M --auth=65001 --id=administration 10.0.0.1
Starting ike-scan 1.7.2 with 1 hosts (http://www.nta-monitor.com/ike-scan/)

Ending ike-scan 1.7.2: 1 hosts scanned in 0.594 seconds (1.68 hosts/sec). 0 
returned handshake;
0 returned notify

4.  Affected Versions:

The issue is believed to affect all models of Cisco VPN 3000 Concentrator: 
3005, 3015, 3020, 3030, 3060 and 3080.  We believe that all software 
versions prior to 4.1.7.F are vulnerable.

5.  Solution:

Upgrade to software version 4.1.7.F or later.  Cisco customers with a valid 
login may obtain the new software from the Cisco website.  Cisco has stated 
in the release notes that this software version is not vulnerable to the 
issue, but NTA Monitor have not verified this claim.

Alternatively, use certificate authentication rather than group 
authentication.  This vulnerability does not apply to certificate 
authentication.

6.  Timeline:

The vulnerability was first discovered on 8th July 2004, and was reported 
to Cisco's security team (PSIRT) on 20th September 2004.  Cisco were able 
to reproduce the issue using the ike-scan tool, and bug ID CSCeg00323 was 
opened on 11th October 2004.  Software version 4.1.7.F, which claims to 
have fixed the issue, was released on 19th May 2005.

7.  References:

Cisco Bug ID CSCeg00323 "vpn3k - inconsistent behavior on scanning".
NTA Monitor advisory 
http://www.nta-monitor.com/news/vpn-flaws/cisco/VPN-Concentrator/index.htm

8.  Other Information:

This is one of the classes of vulnerability discussed in the VPN flaws 
whitepaper, which was released in January 2005.  This whitepaper is 
available at: 
http://www.nta-monitor.com/news/vpn-flaws/VPN-Flaws-Whitepaper.pdf

Roy Hills


--
Roy Hills                                    Tel:   +44 1634 721855
NTA Monitor Ltd                              FAX:   +44 1634 721844
14 Ashford House, Beaufort Court,
Medway City Estate,                          Email: Roy.Hills@nta-monitor.com
Rochester, Kent ME2 4FA, 
UK                  WWW:   http://www.nta-monitor.com/  

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC