[24594] in bugtraq
Linksys BEFVP41 VPN Server does not follow proper VPN standards
daemon@ATHENA.MIT.EDU (pschlesinger@teltechplus.com)
Fri Mar 8 15:40:33 2002
Date: 8 Mar 2002 00:41:16 -0000
Message-ID: <20020308004116.10693.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: <pschlesinger@teltechplus.com>
To: bugtraq@securityfocus.com
Dear all,
A month ago, we discovered a bug in the VPN Server
module of the Linksys EtherFast BEFVP41
Cable/DSL VPN Router. Here's the detailed email we
sent to Linksys Tech Support:
**** Begin Email ****
Dear Support @ Linksys,
We recently heard about your BEFVP41 and thought
we'd try it out as we
liked the BEFSR41. Our corporate office uses a
SonicWALL Pro 200 on a
T-1 line.
Anyway, I tried setting up a manual key entry on both
the Pro 200 and
the BEFVP41, but the key lengths on the BEFVP41
appear to be WAY off.
Just to give you an idea, the SonicWALL approved
the following 3DES/MD5
keys:
Encryption:
80C4DAFD9AFC3D7AB57079E19DEBFFF43538A62
039768D74
Authentication:
32EA72F58D7F1E063E14A3FF78131172
But the BEFVP41 truncates the keys to:
Encryption: 80C4DAFD9AFC3D7AB57079E
Authentication: 32EA72F58D7F1E063E1
This happens even when I've selected 3DES
encryption and MD5
authentication on the BEFVP41. SonicWALL's
manual for configuring the
VPN clearly states:
"The DES and ARCFour Keys must be exactly 16
characters long and are
comprised of hexadecimal characters. Triple DES
Keys are 48 characters
long."..."The AH key must be exactly 32 characters
long, if MD5 is used,
and is comprised of hexadecimal characters"
whereas your manual states on page 22, "up to 23
alphanumeric characters
are allowed to create this key", yet as you'll see
above, the
authentication string actually is restricted to 19
characters. What's
going on? Do you expect people to convert between
base 16 (hexadecimal)
and base 36 (alphanumeric)?
*** End Email ***
BTW, the end question re: base 36 (alphanumeric
was because their GUI and manual didn't explain
whether the information has to be entered in base 2,
base 10, base 16, or base 36 - the VPN Server
configuration screen seems to use both base 10 and
base 36. Documentation for the product is rather
utilitarian...
Anyway, I received an email shortly thereafter stating
that they were escalating the problem to level 2
support. On 2/11, I received the following message
from a Senior Product Support Representative at
Linksys (I've chosen to withhold his name to prevent
Loshen Hora):
**** Begin Email ****
Dear Valued Linksys Customer:
Thank you for contacting Linksys Customer Support.
We will attempt to address this in the next firmware
release.
If you have further questions, please contact us at
(800) 326-7114 or
reply to this e-mail so that we may further assist you
**** End Email ***
My reply to the Senior Product Support
Representative at Linksys:
**** Begin Email ****
You're kidding, right? Are you telling me that Linksys
didn't use the
proper IPSec keying methods in the design of the
BEFVP41 when it says right
on the box "Full IPSec Virtual Private Network (VPN)
Capability" and that it
is compatible with the SonicWALL Tele2 (which uses
the same keying scheme)?
When is this firmware update coming?
PS - Out of curiosity, will I be receiving credit for
finding this flaw? (Poster's note: okay, okay...so my
interest in fame got the better of me...)
**** End Email ****
The reply from the Senior Product Support
Representative at Linksys:
**** Begin Email ****
Thank you for contacting Linksys Customer Support.
Well sir it does work when you use IKE, which is
much more secure than
manual keying. Unfortunately sir bugs do happen in a
product that hasn't
been out on the market for more than a couple of
months. I apologize for
any inconvenience that this has caused you, but
Linksys does not issue
credit.
If you have further questions, please contact us at
(800) 326-7114 or
reply to this e-mail so that we may further assist you
**** End Email ****
That last email was sent to my on 2/12. It's now
about a month later and there has not been a new
firmware update for the BEFVP41 yet on the web site.
Just a FYI for y'all.
- Phil
