Penetration Testing mailing list archives
RE: VPN Server
From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com>
Date: Thu, 25 Jan 2007 01:02:54 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kapil:
Now with the IKE Scan tool , I get the following response frm the vpn server using random ID= values for the group. However
Which is the expected outcome.
even though the results say its a vpn concentrator its actuall a cisco pix fw implementing a vpn server, which is fine just a fingerprinting flaw. On further digging it was found that the vpn server is at proper pacth levels and does not have any groups configured. However according to vuln description , following handshake to the aggressive mode should not be returned, and as one can see the returned handshake is successful.
Nope, it doesn't say that. The Security Notice reads: "The vulnerability resides in the way those products listed as affected respond to IKE Phase I messages in Aggressive Mode. If the group name in the IKE message was a valid group name, the affected device would reply to the IKE negotiation, while an invalid group name will not elicit a response." An attacker wants to know which groups are defined and valid - so he uses the ike-scan producto to send AM packets to the device. If he gets an answer, the group is valid. If not, the group is not valid. What we did was to deny the attacker that information by replying to the AM message in both cases - if the group is invalid and also if it is invalid. In that way, there's no way for the attacker to determine which ones are valid and which ones aren't.
So i was wondering is having Aggressive mode configured is a problem here ? Do we recommend disabling agressive mode , if yes what could be the problem. Since no groups are configured , does it boil down to being a problem of fingerprinting the product used for vpn server? As it seems it responds to below message for everything used.
Again, which is exactly what you want :) Thanks, Dario Dario Ciccarone <dciccaro () cisco com> Incident Manager - CCIE #10395 Product Security Incident Response Team (PSIRT) Cisco Systems, Inc. PGP Key ID: 0xBA1AE0F0 http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBRbhIDoyVGB+6GuDwEQKkvACdFZh69lOiywj5hXjAXyAkcXz3D3QAn2O0 6E60omLb9oBEo6ArQrQiFPxW =dgR9 -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- VPN Server kapil assudani (Jan 24)
- RE: VPN Server Dario Ciccarone (dciccaro) (Jan 26)
- <Possible follow-ups>
- VPN Server kapil assudani (Jan 26)