Full Disclosure mailing list archives
Re: IKE Aggressive Mode Downgrade Attack?
From: Lee <ler762 () gmail com>
Date: Fri, 1 May 2015 00:30:26 -0400
On 4/30/15, Melchior Limacher <mli () protect7 com> wrote:
Hello I was reading about "ike aggressive mode with pre shared key" (CVE-2002-1623). As described by cisco (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_security_notice09186a008016b57f.html), this is still an issue "When responding to IPSec session initialization, Cisco IOS(r) software may use Aggressive Mode even if it has not been explicitly configured to do so. Cisco IOS software initially tries to negotiate using Main Mode but, failing that, resorts to Aggressive Mode." Are there known downgrade attacks? Counter-Measures?
crypto isakmp aggressive-mode disable should be the counter-measure. http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-c4.html#wp7822516900 To block all Internet Security Association and Key Management Protocol (ISAKMP) aggressive mode requests to and from a device, use the crypto isakmp aggressive-mode disable command in global configuration mode. Regards, Lee _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: IKE Aggressive Mode Downgrade Attack? Lee (Apr 30)