Bugtraq mailing list archives
Re: Insecure IKE Implementations Clarification
From: Thor Lancelot Simon <tls () rek tjls com>
Date: Fri, 12 Dec 2003 16:54:19 -0500
On Fri, Dec 12, 2003 at 10:45:37PM +0100, Florian Weimer wrote:
There's also a PSIRT statement regarding this issue, and it's at best embarrassing for Cisco engineering folks: <http://www.cisco.com/warp/public/707/cisco-sn-20030422-ike.html>
Whoever wrote that statement seems to have the fundamental XAUTH vulnerability and the recently-much-discussed possibility of brute-forcing Phase 1 preshared keys using Aggressive Mode pretty seriously mixed up.
I know several people work on XAUTH MITM attacks; I guess it will fall in a couple of weeks. (Just sniffing the user password is easy, the group password is typically public anyway; the remaining challenge consists of putting together several tools to transparently fake a Cisco VPN concentrator).
For what it's worth, the possibility of this general type of attack was repeatedly discussed in the IPsec working group and is a major reason why XAUTH was abandoned. The particular password-stealing attack that I describe as been widely discussed among IKE implementors for at least two years; other implementors probably independently noticed it at least as early as I did, which was three years ago. What's pretty disturbing is that there is wide understanding of this issue among actual protocol implementors, but that Cisco field personnel continue to quite plainly tell customers that it does not exist at all, even when the risk to those customers is huge. Indeed, I'd say that including support for this mode in their VPN client, at this point, is pretty irresponsible -- recommending it is just plain awful. -- Thor Lancelot Simon tls () rek tjls com But as he knew no bad language, he had called him all the names of common objects that he could think of, and had screamed: "You lamp! You towel! You plate!" and so on. --Sigmund Freud
Current thread:
- Re: Insecure IKE Implementations Clarification Thor Lancelot Simon (Dec 12)
- Re: Insecure IKE Implementations Clarification Florian Weimer (Dec 13)
- Re: Insecure IKE Implementations Clarification Thor Lancelot Simon (Dec 13)
- Re: Insecure IKE Implementations Clarification Florian Weimer (Dec 13)
- Re: Insecure IKE Implementations Clarification Thor Lancelot Simon (Dec 13)
- Re: Insecure IKE Implementations Clarification Florian Weimer (Dec 13)
- SSH vs. IKE trust models (was Re: Insecure IKE Implementations Clarification) Thor Lancelot Simon (Dec 13)
- Re: SSH vs. IKE trust models (was Re: Insecure IKE Implementations Clarification) Florian Weimer (Dec 13)
- Re: SSH vs. IKE trust models (was Re: Insecure IKE Implementations Clarification) Jimi Thompson (Dec 15)
- Re: Insecure IKE Implementations Clarification Thor Lancelot Simon (Dec 13)
- Re: Insecure IKE Implementations Clarification Florian Weimer (Dec 13)
- Re: Insecure IKE Implementations Clarification Jun-ichiro itojun Hagino (Dec 13)