Re: Insecure IKE Implementations Clarification

[Thor Lancelot Simon <tls () rek tjls com>]

On Fri, Dec 12, 2003 at 10:45:37PM +0100, Florian Weimer wrote:
> There's also a PSIRT statement regarding this issue, and it's at best
> embarrassing for Cisco engineering folks:
>
>   <http://www.cisco.com/warp/public/707/cisco-sn-20030422-ike.html>

Whoever wrote that statement seems to have the fundamental XAUTH
vulnerability and the recently-much-discussed possibility of brute-forcing
Phase 1 preshared keys using Aggressive Mode pretty seriously mixed up.

> I know several people work on XAUTH MITM attacks; I guess it will fall
> in a couple of weeks.  (Just sniffing the user password is easy, the
> group password is typically public anyway; the remaining challenge
> consists of putting together several tools to transparently fake a Cisco
> VPN concentrator).

For what it's worth, the possibility of this general type of attack was
repeatedly discussed in the IPsec working group and is a major reason
why XAUTH was abandoned.  The particular password-stealing attack that I 
describe as been widely discussed among IKE implementors for at least two
years; other implementors probably independently noticed it at least as
early as I did, which was three years ago.

What's pretty disturbing is that there is wide understanding of this
issue among actual protocol implementors, but that Cisco field personnel
continue to quite plainly tell customers that it does not exist at all,
even when the risk to those customers is huge.  Indeed, I'd say that
including support for this mode in their VPN client, at this point, is
pretty irresponsible -- recommending it is just plain awful.

-- 
 Thor Lancelot Simon                                          tls () rek tjls com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud