RE: VPN Server

From: Dario Ciccarone (dciccaro) (dciccaro@cisco.com)
Date: Thu Jan 25 2007 - 01:02:54 EST

• Next message: kapil assudani: "VPN Server"
• Previous message: kapil assudani: "VPN Server"
• In reply to: kapil assudani: "VPN Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kapil:

> Now with the IKE Scan tool , I get the following response frm
> the vpn server using random ID= values for the group. However
>

Which is the expected outcome.

> even though the results say its a vpn concentrator its
> actuall a cisco pix fw implementing a vpn server, which is
> fine just a fingerprinting flaw. On further digging it was
> found that the vpn server is at proper pacth levels and does
> not have any groups configured.
> However according to vuln description , following handshake
> to the aggressive mode should not be returned, and as one can
> see the returned handshake is successful.

Nope, it doesn't say that. The Security Notice reads:

"The vulnerability resides in the way those products listed as
affected respond to IKE Phase I messages in Aggressive Mode. If
the group name in the IKE message was a valid group name, the
affected device would reply to the IKE negotiation, while an
invalid group name will not elicit a response."

An attacker wants to know which groups are defined and valid -
so he uses the ike-scan producto to send AM packets to the
device. If he gets an answer, the group is valid. If not, the
group is not valid. What we did was to deny the attacker that
information by replying to the AM message in both cases - if the
group is invalid and also if it is invalid. In that way, there's
no way for the attacker to determine which ones are valid and
which ones aren't.

> So i was wondering is having Aggressive mode configured is a
> problem here ? Do we recommend disabling agressive mode , if
> yes what could be the problem. Since no groups are configured
> , does it boil down to being a problem of fingerprinting the
> product used for vpn server?
>
> As it seems it responds to below message for everything used.
>

Again, which is exactly what you want :)

Thanks,
Dario

Dario Ciccarone <dciccaro@cisco.com>
Incident Manager - CCIE #10395
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
PGP Key ID: 0xBA1AE0F0
http://www.cisco.com/go/psirt

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRbhIDoyVGB+6GuDwEQKkvACdFZh69lOiywj5hXjAXyAkcXz3D3QAn2O0
6E60omLb9oBEo6ArQrQiFPxW
=dgR9
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: kapil assudani: "VPN Server"
• Previous message: kapil assudani: "VPN Server"
• In reply to: kapil assudani: "VPN Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:33 EDT