[39348] in bugtraq
RE: Cisco VPN Concentrator Groupname Enumeration Vulnerability
daemon@ATHENA.MIT.EDU (Dario Ciccarone (dciccaro))
Wed Jun 29 15:52:15 2005
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----_=_NextPart_001_01C57CD6.0969B4FE"
Date: Wed, 29 Jun 2005 14:11:56 -0400
Message-ID: <829173BE40A7F147AC51726688B0374B428E56@xmb-rtp-203.amer.cisco.com>
From: "Dario Ciccarone (dciccaro)" <dciccaro@cisco.com>
To: "Roy Hills" <Roy.Hills@nta-monitor.com>, <bugtraq@securityfocus.com>
This is a multi-part message in MIME format.
------_=_NextPart_001_01C57CD6.0969B4FE
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Cisco has made public a Security Notice, available at
http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml
which includes information about the issue, mitigation measures and
fixed software=20
availability.
We would like to thank Roy Hills and NTA-Monitor for following
responsible disclosure practices and working with us on this issue.
Quidquid latine dictum sit, altum viditur
Dario Ciccarone
CCIE #10395=20
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
dciccaro@cisco.com=20
> -----Original Message-----
> From: Roy Hills [mailto:Roy.Hills@nta-monitor.com]=20
> Sent: Monday, June 20, 2005 9:51 AM
> To: bugtraq@securityfocus.com
> Subject: Cisco VPN Concentrator Groupname Enumeration Vulnerability
>=20
> Cisco VPN Concentrator Groupname Enumeration Vulnerability
>=20
> 1. Overview:
>=20
> NTA Monitor has discovered a groupname enumeration=20
> vulnerability in the=20
> Cisco VPN 3000 series concentrator products while performing=20
> a VPN security=20
> test for a customer.
>=20
> The vulnerability affects remote access VPNs with groupname=20
> authentication. Site-to-site VPN operation is not affected,=20
> nor is remote=20
> access with certificate authentication. In practice, we find=20
> that most=20
> concentrators are configured for remote access with groupname=20
> authentication, so this bug will affect the majority of users.
>=20
> The vulnerability allows an attacker to use a dictionary attack to=20
> determine valid group names on the concentrator. Once a=20
> valid group name=20
> is determined, the attacker can then use this to obtain a=20
> hash from the=20
> concentrator, which can then be cracked offline to determine=20
> the group=20
> password.
>=20
> Once an attacker has a valid groupname and group password, they can=20
> potentially mount a Man-in-the-Middle (MitM) attack against=20
> the XAUTH user=20
> authentication mechanism. This allows the attacker to snoop on VPN=20
> traffic, alter VPN traffic, or gain access to the network=20
> protected by the=20
> VPN. This MitM attack works even if strong authentication=20
> such as SecurID=20
> is used for user authentication.
>=20
> 2. Vulnerability Details:
>=20
> The vulnerability allows an attacker to enumerate valid=20
> groupnames on a=20
> Cisco VPN concentrator through either a dictionary attack, or=20
> a brute-force=20
> attack. The issue exists because the concentrator responds to valid=20
> groupnames differently to the way in which it responds to=20
> invalid groupnames.
>=20
> The exploit involves sending an IKE Aggressive Mode packet with the=20
> groupname to be tested in the Identity (ID) payload. The ID=20
> Type is 11,=20
> which corresponds to ID_KEY_ID. If the specified groupname=20
> is valid, the=20
> concentrator will respond; if it is not valid, then the=20
> concentrator will=20
> not respond. The ike-scan tool can be used to demonstrate=20
> this vulnerability.
>=20
> The vulnerability is present in both normal IKE over UDP, and=20
> also Cisco=20
> proprietary TCP-encapsulated IKE. The ike-scan tool can use either=20
> transport type: for Cisco IKE in TCP, you need to specify the option=20
> --tcp=3D2. When using TCP encapsulation, an invalid groupname=20
> causes the=20
> concentrator to send a TCP RST packet, which causes ike-scan=20
> to return the=20
> error message "recvfrom: Connection reset by peer".
>=20
> The groupname guessing rate depends on the bandwidth between=20
> the attacker's=20
> system and the concentrator. Because most of the group names=20
> tried will be=20
> incorrect, and therefore the concentrator won't respond, it's=20
> only the=20
> bandwidth from the attacker to the concentrator that matters;=20
> the bandwidth=20
> from the concentrator back to the attacker is not important.
>=20
> An IKE aggressive mode packet with a single transform, using=20
> Diffie-Hellman=20
> group 2, and having an eight character groupname has an IKE=20
> packet size of=20
> 256 bytes. Adding the eight byte UDP header and 20 byte IP=20
> header gives a=20
> total size of 284 bytes or 2,272 bits. Assuming a link speed of=20
> 2Mbits/sec, this gives a guessing rate of 2,000,000 / 2,272 =3D=20
> 880 guesses=20
> per second.
>=20
> A guessing rate of 880 per second is 3,168,000 per hour or=20
> 76,032,000 per=20
> day. This rate is sufficient to perform an extensive=20
> dictionary attack, or=20
> a limited brute-force attack. The concentrator does not limit the=20
> groupname guessing rate, nor does it blacklist hosts that=20
> perform groupname=20
> enumeration: in tests, it was possible to get a successful=20
> response to a=20
> valid groupname immediately after thousands of incorrect attempts.
>=20
> Once a valid groupname is obtained, it is possible to use=20
> this groupname to=20
> obtain a hash from the concentrator, and mount an offline=20
> password-guessing=20
> attack against this hash to obtain the group password. Because the=20
> password-guessing process is offline, it is fast (hundreds of=20
> thousands of=20
> guesses per second), and will not cause the concentrator to log any=20
> authentication failures.
>=20
> A valid groupname and password allows the attacker to=20
> complete IKE Phase-1=20
> and establish an ISAKMP SA to the concentrator. They can=20
> then mount a=20
> Man-in-the-Middle (MitM) attack against the second-stage=20
> user-authentication process, which is typically XAUTH.
>=20
> The offline password guessing process and MitM attack against=20
> XAUTH are=20
> detailed in the VPN flaws whitepaper at=20
> http://www.nta-monitor.com/news/vpn-flaws/VPN-Flaws-Whitepaper.pdf.
>=20
> 3. Example:
>=20
> The example below shows the two different concentrator=20
> responses: the first=20
> is for the valid groupname "finance", and the second is for=20
> the invalid=20
> groupname "administration". We see that the concentrator=20
> responds to valid=20
> groupname, but not to the invalid one. Because of this difference in=20
> behaviour, it is possible to determine whether a given=20
> groupname is valid=20
> or not.
>=20
> The ike-scan options used in this example are:
>=20
> -A Specify IKE Aggressive Mode. The default for=20
> ike-scan is=20
> Main Mode.
> --idtype=3D11 Specify ID Type 11 for the ID payload. This=20
> corresponds to=20
> ID_KEY_ID.
> -M Multiline: Display each payload on a separate=20
> line, which=20
> makes the output easier to read.
> --auth=3D65001 Specify authentication method 65001, which=20
> corresponds to=20
> XAUTH.
> --id=3Dfinance Specify the string to be used for the ID payload.
> 10.0.0.1 The IP address of the target VPN concentrator.
>=20
> 3.1. Response to valid groupname "finance":
>=20
> $ ike-scan -A --idtype=3D11 -M --auth=3D65001 --id=3Dfinance 10.0.0.1
> Starting ike-scan 1.7.2 with 1 hosts=20
> (http://www.nta-monitor.com/ike-scan/)
> 10.0.0.1 Aggressive Mode Handshake returned
> SA=3D(Enc=3D3DES Hash=3DMD5 Group=3D2:modp1024 Auth=3DXAUTH =
LifeType=3DSeconds=20
> LifeDuration=3D28800)
> KeyExchange(128 bytes)
> Nonce(20 bytes)
> ID(Type=3DID_IPV4_ADDR, Value=3D10.0.0.1)
> Hash(16 bytes)
> VID=3D12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
> VID=3D09002689dfd6b712 (XAUTH)
> VID=3Dafcad71368a1f1c96b8696fc77570100 (Dead Peer Detection)
> VID=3D4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
> VID=3D65963c60eacf802220adccf628738746
> VID=3D1f07f70eaa6514d3b0fa96542a500400 (Cisco VPN Concentrator)
>=20
> Ending ike-scan 1.7.2: 1 hosts scanned in 0.423 seconds (2.36=20
> hosts/sec). 1=20
> returned handshake;
> 0 returned notify
>=20
> 3.2. Response to invalid groupname "administration":
>=20
> $ ike-scan -A --idtype=3D11 -M --auth=3D65001 --id=3Dadministration =
10.0.0.1
> Starting ike-scan 1.7.2 with 1 hosts=20
> (http://www.nta-monitor.com/ike-scan/)
>=20
> Ending ike-scan 1.7.2: 1 hosts scanned in 0.594 seconds (1.68=20
> hosts/sec). 0=20
> returned handshake;
> 0 returned notify
>=20
> 4. Affected Versions:
>=20
> The issue is believed to affect all models of Cisco VPN 3000=20
> Concentrator:=20
> 3005, 3015, 3020, 3030, 3060 and 3080. We believe that all software=20
> versions prior to 4.1.7.F are vulnerable.
>=20
> 5. Solution:
>=20
> Upgrade to software version 4.1.7.F or later. Cisco=20
> customers with a valid=20
> login may obtain the new software from the Cisco website. =20
> Cisco has stated=20
> in the release notes that this software version is not=20
> vulnerable to the=20
> issue, but NTA Monitor have not verified this claim.
>=20
> Alternatively, use certificate authentication rather than group=20
> authentication. This vulnerability does not apply to certificate=20
> authentication.
>=20
> 6. Timeline:
>=20
> The vulnerability was first discovered on 8th July 2004, and=20
> was reported=20
> to Cisco's security team (PSIRT) on 20th September 2004. =20
> Cisco were able=20
> to reproduce the issue using the ike-scan tool, and bug ID=20
> CSCeg00323 was=20
> opened on 11th October 2004. Software version 4.1.7.F, which=20
> claims to=20
> have fixed the issue, was released on 19th May 2005.
>=20
> 7. References:
>=20
> Cisco Bug ID CSCeg00323 "vpn3k - inconsistent behavior on scanning".
> NTA Monitor advisory=20
> http://www.nta-monitor.com/news/vpn-flaws/cisco/VPN-Concentrat
> or/index.htm
>=20
> 8. Other Information:
>=20
> This is one of the classes of vulnerability discussed in the=20
> VPN flaws=20
> whitepaper, which was released in January 2005. This whitepaper is=20
> available at:=20
> http://www.nta-monitor.com/news/vpn-flaws/VPN-Flaws-Whitepaper.pdf
>=20
> Roy Hills
>=20
>=20
> --
> Roy Hills Tel: +44 1634 721855
> NTA Monitor Ltd FAX: +44 1634 721844
> 14 Ashford House, Beaufort Court,
> Medway City Estate, Email:=20
> Roy.Hills@nta-monitor.com
> Rochester, Kent ME2 4FA,=20
> UK WWW: http://www.nta-monitor.com/ =20
>=20
------_=_NextPart_001_01C57CD6.0969B4FE
Content-Type: application/octet-stream;
name="cisco-vpn-grpname-adv.txt.asc"
Content-Transfer-Encoding: base64
Content-Description: cisco-vpn-grpname-adv.txt.asc
Content-Disposition: attachment;
filename="cisco-vpn-grpname-adv.txt.asc"
Ci0tLS0tQkVHSU4gUEdQIFNJR05FRCBNRVNTQUdFLS0tLS0KSGFzaDogU0hBMQoKVGhpcyBpcyBp
biByZXNwb25zZSB0byB0aGUgcG9zdGluZyBieSBSb3kgSGlsbHMgZnJvbSBOVEEtTW9uaXRvciBm
cm9tIEp1bmUgMjAsIDIwMDUsIGVudGl0bGVkICdDaXNjbyBWUE4gQ29uY2VudHJhdG9yIEdyb3Vw
bmFtZSBFbnVtZXJhdGlvbiBWdWxuZXJhYmlsaXR5JwoKQ2lzY28gaGFzIG1hZGUgcHVibGljIGEg
U2VjdXJpdHkgTm90aWNlLCBhdmFpbGFibGUgYXQKCmh0dHA6Ly93d3cuY2lzY28uY29tL3dhcnAv
cHVibGljLzcwNy9jaXNjby1zbi0yMDA1MDYyNC12cG4tZ3JwbmFtZS5zaHRtbAoKd2hpY2ggaW5j
bHVkZXMgaW5mb3JtYXRpb24gYWJvdXQgdGhlIGlzc3VlLCBtaXRpZ2F0aW9uIG1lYXN1cmVzIGFu
ZCBmaXhlZCBzb2Z0d2FyZSAKYXZhaWxhYmlsaXR5LgoKQXQgdGhlIHNhbWUgdGltZSwgd2Ugd291
bGQgbGlrZSB0byB0aGFuayBSb3kgSGlsbHMgYW5kIE5UQS1Nb25pdG9yIGZvciBmb2xsb3dpbmcg
cmVzcG9uc2libGUgZGlzY2xvc3VyZSBwcmFjdGljZXMgYW5kIHdvcmtpbmcgd2l0aCB1cyBvbiB0
aGlzIGlzc3VlLgoKUXVpZHF1aWQgbGF0aW5lIGRpY3R1bSBzaXQsIGFsdHVtIHZpZGl0dXIKCkRh
cmlvIENpY2Nhcm9uZQpDQ0lFICMxMDM5NSAKUHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNw
b25zZSBUZWFtIChQU0lSVCkKQ2lzY28gU3lzdGVtcywgSW5jLgpkY2ljY2Fyb0BjaXNjby5jb20K
Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tClZlcnNpb246IFBHUCA4LjEKCmlRQS9Bd1VC
UXJ4VmdZeVZHQis2R3VEd0VRSzdwZ0NneGpMZDQrWEJydGhXa3FhUGZhSkpwWXFBTlFzQW9NcTgK
SHdkWG1wYWFhTG5OOHlyQlVPbW5OTnNrCj1BZ1VlCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0t
LQo=
------_=_NextPart_001_01C57CD6.0969B4FE--
