[18695] in cryptography@c2.net mail archive
Re: Cisco VPN password recovery program
daemon@ATHENA.MIT.EDU (Andrea Pasquinucci)
Wed Oct 19 11:45:17 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 19 Oct 2005 17:14:46 +0200
From: Andrea Pasquinucci <cesare@ucci.it>
To: cryptography@metzdowd.com
Reply-To: Andrea Pasquinucci <cesare@ucci.it>
Mail-Followup-To: Andrea Pasquinucci <cesare@ucci.it>,
cryptography@metzdowd.com
In-Reply-To: <87u0fdzikg.fsf@snark.piermont.com>
--BOKacYhQ+x31HxR3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Oct 19, 2005 at 10:29:19AM -0400, Perry E. Metzger wrote:
*=20
* Via cryptome:
*=20
* http://evilscientists.de/blog/?page_id=3D343
*=20
* The Cisco VPN Client uses weak encryption to store user and group
* passwords in your local profile file. I coded a little tool to
* reveal the saved passwords from a given profile file.
*=20
* If this is true, it doesn't sound like Cisco used a particularly smart
* design for this.
*=20
Only for information, here is Cisco reply as passed on=20
full-disclosure@lists.grok.org.uk and bugtraq@securityfocus.com
Andrea
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
From: Clayton Kossmeyer <ckossmey@cisco.com>
Subject: Re: [Full-disclosure] Ciscos VPN-Client-Passwords can be decrypted
Date: Tue, 18 Oct 2005 16:06:05 -0400
To: full-disclosure@lists.grok.org.uk
Cc: bugtraq@securityfocus.com, psirt@cisco.com
Hello -
The Cisco PSIRT is aware of reports that claim the Cisco VPN Client
password encryption uses a breakable algorithm to encrypt user
passwords.
We are aware of reports at the following sites:
http://www.heise.de/newsticker/meldung/64954
http://evilscientists.de/blog/?page_id=3D339
http://evilscientists.de/blog/?page_id=3D343
This issue is related to a Security Notice that the Cisco PSIRT
released in October of 2004. Cisco's public announcement can be found
here:
http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml
The Cisco VPN 3000 Series has a configuration option that does not
allow the storage of the user password in the VPN client. For
customers that are concerned about the recovery of the user password,
the following option can be disabled to prevent local storage of the
user password.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuratio=
n_guide_chapter09186a00803ee1f0.html#wp2477015
- - ---------------------
Cisco Client Parameters
Allow Password Storage on Client - Check this box to allow IPSec
clients to store their login passwords on their local client
systems. If you do not allow password storage (the default), IPSec
users must enter their password each time they seek access to the
VPN. For maximum security, we recommend that you not allow password
storage.
- - ---------------------
Note that the default configuration of the VPN 3000 Series does not
allow client password storage. Additionally, this attack only affects
passwords that are static and reused for login to the VPN
network. Customers using one-time passwords (OTP) and certificates to
connect are unaffected.
We do greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in product reports.
Regards,
Clay
Cisco PSIRT
--
Andrea Pasquinucci cesare@ucci.it
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint =3D 569B 37F6 45A4 1A17 E06F CCBB CB51 2983 6494 0DA2
--BOKacYhQ+x31HxR3
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDVmLmy1Epg2SUDaIRAsQhAJ4hNKgnZ5YcDp7liZywnba1Msf7TACgoGTi
QQR6QYao1QzlBhB3xz58TCc=
=fjVb
-----END PGP SIGNATURE-----
--BOKacYhQ+x31HxR3--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
