Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IKE Aggressive Mode Downgrade Attack?

From: Lee <ler762 () gmail com>
Date: Fri, 1 May 2015 00:30:26 -0400
On 4/30/15, Melchior Limacher <mli () protect7 com> wrote:

Hello


I was reading about "ike aggressive mode with pre shared key"
(CVE-2002-1623).

As described by cisco
(http://www.cisco.com/en/US/tech/tk583/tk372/technologies_security_notice09186a008016b57f.html),
this is still an issue
"When responding to IPSec session initialization, Cisco IOS(r) software
may use Aggressive Mode even if it has not been explicitly configured
to do so. Cisco IOS software initially tries to negotiate using Main
Mode but, failing that, resorts to Aggressive Mode."

Are there known downgrade attacks? Counter-Measures?


  crypto isakmp aggressive-mode disable
should be the counter-measure.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-c4.html#wp7822516900
   To block all Internet Security Association and Key Management
Protocol (ISAKMP)
   aggressive mode requests to and from a device, use the
      crypto isakmp aggressive-mode disable
   command in global configuration mode.

Regards,
Lee

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: