Guest

Product Support

Cisco IPSec VPN Implementation Group Name Enumeration Vulnerability

Document ID: 534

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20101124-vpn-grpname

Revision 1.1

Last Updated on 2010 December 2 17:00  UTC (GMT)

For Public Release 2010 November 24 17:00  UTC (GMT)


Contents

Response
Additional Information
Status of this Notice: Final
Revision History
Cisco Security Procedures

Cisco Response

This Cisco Security Response is an updated version of an original Cisco Security Notice (http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml) in response to the Cisco VPN Concentrator Group Name Enumeration Vulnerability advisory published on June 20, 2005, by NTA Monitor at http://www.nta-monitor.com/news/vpn-flaws/cisco/VPN-Concentrator/index.htm leavingcisco.com.

A further Cisco VPN Concentrator Group Name Enumeration Vulnerability that affects the Cisco PIX, Cisco VPN 3000 Concentrator, and Cisco ASA was reported to Cisco by Gavin Jones of NGS Secure. This vulnerability does not affect Cisco IOS Software. In the original report, the affected device would reply to the IKE negotiation if the group name in the IKE message was valid, whereas an invalid group name would not elicit a response. These IKE-related differences in the device reply were fixed with the original Cisco Bug IDs. However, the device response does differ for the dead peer detection VID, depending on whether a valid group name has been received.

This Security Response is posted at http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20101124-vpn-grpname, with the original security notice posted at: http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml.

Additional Information

This vulnerability allows an attacker to discover which group names are configured and valid on those Cisco devices listed as affected in the Affected Products section. It only affects customers using a PSK (pre-shared key) for group authentication in a remote access VPN scenario. Site-to-site VPNs (either using a PSK or certificates), customers using remote access VPNs with certificates, or customers using the VPN 3000 Concentrator feature called 'Mutual Group Authentication' are not affected by this vulnerability.

The vulnerability resides in the way those products listed as affected respond to IKE Phase I messages in Aggressive Mode. If the group name in the IKE message was a valid group name, the affected device would reply to the IKE negotiation, while an invalid group name will not elicit a response.

Once a valid group name has been identified, the attacker can use the information contained in the reply packet sent by the affected device to mount an off-line attack and try to discover the PSK used for group authentication. If the off-line attack is successful and the PSK is recovered, the information could then be used to attempt a MiTM (Man-in-the-Middle) attack against sessions being initiated by remote VPN clients towards the affected device.

The additional Group Name Enumeration Vulnerability is documented in the following Bug ID (registered customers only):

Affected Products

The following products are affected by this vulnerability:

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco PIX 500 Series Security Appliances (Versions 6.3.X and earlier, are not affected)
  • Cisco VPN 3000 Series Concentrators (models 3005, 3015, 3020, 3030, 3060, and 3080)

Cisco IOS Software is not affected by this vulnerability.

No other Cisco products are currently known to be affected by this vulnerability.

Software Versions and Fixes

Due to end-of-life status of the Cisco PIX 500 Series Security Appliances and the Cisco VPN 3000 Series Concentrators, no fixed software will be made available for these products.

Fixed software for Cisco ASA 5500 Series Adaptive Security Appliances is available from the Cisco.com software download center, which is in the following location: Products --> Security --> Firewall --> Firewall Appliances --> Cisco ASA 5500 Series Adaptive Security Appliances --> Cisco ASA XXXX Adaptive Security Appliance ---> Adaptive Security Appliance (ASA) Software.

The following Cisco ASA Software versions contain this fix:

Major Version

First Fixed Release

8.0

008.000(005.023)

8.1

008.001(002.049)

8.2

008.002(004.005)*

8.3

008.003(002.013)

8.4

008.004(001.004)*

 

Software versions that are followed by an asterisk character (*) are not available on Cisco.com as of March 30, 2011. Customers can obtain these versions by contacting their maintenance provider.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Revision History

Revision 1.1

2010-December-02

Added additional information to summary section

Revision 1.0

2010-November-29

Initial public release

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.