RE: Cisco VPN Concentrator Groupname Enumeration Vulnerability
From: Dario Ciccarone (dciccaro) (dciccaro_at_cisco.com)
Date: 06/29/05
- Previous message: Martin Pitt: "[USN-146-1] Ruby vulnerability"
- Maybe in reply to: Roy Hills: "Cisco VPN Concentrator Groupname Enumeration Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Jun 2005 14:11:56 -0400 To: "Roy Hills" <Roy.Hills@nta-monitor.com>, <bugtraq@securityfocus.com>
Cisco has made public a Security Notice, available at
http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml
which includes information about the issue, mitigation measures and
fixed software
availability.
We would like to thank Roy Hills and NTA-Monitor for following
responsible disclosure practices and working with us on this issue.
Quidquid latine dictum sit, altum viditur
Dario Ciccarone
CCIE #10395
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
dciccaro@cisco.com
> -----Original Message-----
> From: Roy Hills [mailto:Roy.Hills@nta-monitor.com]
> Sent: Monday, June 20, 2005 9:51 AM
> To: bugtraq@securityfocus.com
> Subject: Cisco VPN Concentrator Groupname Enumeration Vulnerability
>
> Cisco VPN Concentrator Groupname Enumeration Vulnerability
>
> 1. Overview:
>
> NTA Monitor has discovered a groupname enumeration
> vulnerability in the
> Cisco VPN 3000 series concentrator products while performing
> a VPN security
> test for a customer.
>
> The vulnerability affects remote access VPNs with groupname
> authentication. Site-to-site VPN operation is not affected,
> nor is remote
> access with certificate authentication. In practice, we find
> that most
> concentrators are configured for remote access with groupname
> authentication, so this bug will affect the majority of users.
>
> The vulnerability allows an attacker to use a dictionary attack to
> determine valid group names on the concentrator. Once a
> valid group name
> is determined, the attacker can then use this to obtain a
> hash from the
> concentrator, which can then be cracked offline to determine
> the group
> password.
>
> Once an attacker has a valid groupname and group password, they can
> potentially mount a Man-in-the-Middle (MitM) attack against
> the XAUTH user
> authentication mechanism. This allows the attacker to snoop on VPN
> traffic, alter VPN traffic, or gain access to the network
> protected by the
> VPN. This MitM attack works even if strong authentication
> such as SecurID
> is used for user authentication.
>
> 2. Vulnerability Details:
>
> The vulnerability allows an attacker to enumerate valid
> groupnames on a
> Cisco VPN concentrator through either a dictionary attack, or
> a brute-force
> attack. The issue exists because the concentrator responds to valid
> groupnames differently to the way in which it responds to
> invalid groupnames.
>
> The exploit involves sending an IKE Aggressive Mode packet with the
> groupname to be tested in the Identity (ID) payload. The ID
> Type is 11,
> which corresponds to ID_KEY_ID. If the specified groupname
> is valid, the
> concentrator will respond; if it is not valid, then the
> concentrator will
> not respond. The ike-scan tool can be used to demonstrate
> this vulnerability.
>
> The vulnerability is present in both normal IKE over UDP, and
> also Cisco
> proprietary TCP-encapsulated IKE. The ike-scan tool can use either
> transport type: for Cisco IKE in TCP, you need to specify the option
> --tcp=2. When using TCP encapsulation, an invalid groupname
> causes the
> concentrator to send a TCP RST packet, which causes ike-scan
> to return the
> error message "recvfrom: Connection reset by peer".
>
> The groupname guessing rate depends on the bandwidth between
> the attacker's
> system and the concentrator. Because most of the group names
> tried will be
> incorrect, and therefore the concentrator won't respond, it's
> only the
> bandwidth from the attacker to the concentrator that matters;
> the bandwidth
> from the concentrator back to the attacker is not important.
>
> An IKE aggressive mode packet with a single transform, using
> Diffie-Hellman
> group 2, and having an eight character groupname has an IKE
> packet size of
> 256 bytes. Adding the eight byte UDP header and 20 byte IP
> header gives a
> total size of 284 bytes or 2,272 bits. Assuming a link speed of
> 2Mbits/sec, this gives a guessing rate of 2,000,000 / 2,272 =
> 880 guesses
> per second.
>
> A guessing rate of 880 per second is 3,168,000 per hour or
> 76,032,000 per
> day. This rate is sufficient to perform an extensive
> dictionary attack, or
> a limited brute-force attack. The concentrator does not limit the
> groupname guessing rate, nor does it blacklist hosts that
> perform groupname
> enumeration: in tests, it was possible to get a successful
> response to a
> valid groupname immediately after thousands of incorrect attempts.
>
> Once a valid groupname is obtained, it is possible to use
> this groupname to
> obtain a hash from the concentrator, and mount an offline
> password-guessing
> attack against this hash to obtain the group password. Because the
> password-guessing process is offline, it is fast (hundreds of
> thousands of
> guesses per second), and will not cause the concentrator to log any
> authentication failures.
>
> A valid groupname and password allows the attacker to
> complete IKE Phase-1
> and establish an ISAKMP SA to the concentrator. They can
> then mount a
> Man-in-the-Middle (MitM) attack against the second-stage
> user-authentication process, which is typically XAUTH.
>
> The offline password guessing process and MitM attack against
> XAUTH are
> detailed in the VPN flaws whitepaper at
> http://www.nta-monitor.com/news/vpn-flaws/VPN-Flaws-Whitepaper.pdf.
>
> 3. Example:
>
> The example below shows the two different concentrator
> responses: the first
> is for the valid groupname "finance", and the second is for
> the invalid
> groupname "administration". We see that the concentrator
> responds to valid
> groupname, but not to the invalid one. Because of this difference in
> behaviour, it is possible to determine whether a given
> groupname is valid
> or not.
>
> The ike-scan options used in this example are:
>
> -A Specify IKE Aggressive Mode. The default for
> ike-scan is
> Main Mode.
> --idtype=11 Specify ID Type 11 for the ID payload. This
> corresponds to
> ID_KEY_ID.
> -M Multiline: Display each payload on a separate
> line, which
> makes the output easier to read.
> --auth=65001 Specify authentication method 65001, which
> corresponds to
> XAUTH.
> --id=finance Specify the string to be used for the ID payload.
> 10.0.0.1 The IP address of the target VPN concentrator.
>
> 3.1. Response to valid groupname "finance":
>
> $ ike-scan -A --idtype=11 -M --auth=65001 --id=finance 10.0.0.1
> Starting ike-scan 1.7.2 with 1 hosts
> (http://www.nta-monitor.com/ike-scan/)
> 10.0.0.1 Aggressive Mode Handshake returned
> SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
> LifeDuration=28800)
> KeyExchange(128 bytes)
> Nonce(20 bytes)
> ID(Type=ID_IPV4_ADDR, Value=10.0.0.1)
> Hash(16 bytes)
> VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
> VID=09002689dfd6b712 (XAUTH)
> VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection)
> VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
> VID=65963c60eacf802220adccf628738746
> VID=1f07f70eaa6514d3b0fa96542a500400 (Cisco VPN Concentrator)
>
> Ending ike-scan 1.7.2: 1 hosts scanned in 0.423 seconds (2.36
> hosts/sec). 1
> returned handshake;
> 0 returned notify
>
> 3.2. Response to invalid groupname "administration":
>
> $ ike-scan -A --idtype=11 -M --auth=65001 --id=administration 10.0.0.1
> Starting ike-scan 1.7.2 with 1 hosts
> (http://www.nta-monitor.com/ike-scan/)
>
> Ending ike-scan 1.7.2: 1 hosts scanned in 0.594 seconds (1.68
> hosts/sec). 0
> returned handshake;
> 0 returned notify
>
> 4. Affected Versions:
>
> The issue is believed to affect all models of Cisco VPN 3000
> Concentrator:
> 3005, 3015, 3020, 3030, 3060 and 3080. We believe that all software
> versions prior to 4.1.7.F are vulnerable.
>
> 5. Solution:
>
> Upgrade to software version 4.1.7.F or later. Cisco
> customers with a valid
> login may obtain the new software from the Cisco website.
> Cisco has stated
> in the release notes that this software version is not
> vulnerable to the
> issue, but NTA Monitor have not verified this claim.
>
> Alternatively, use certificate authentication rather than group
> authentication. This vulnerability does not apply to certificate
> authentication.
>
> 6. Timeline:
>
> The vulnerability was first discovered on 8th July 2004, and
> was reported
> to Cisco's security team (PSIRT) on 20th September 2004.
> Cisco were able
> to reproduce the issue using the ike-scan tool, and bug ID
> CSCeg00323 was
> opened on 11th October 2004. Software version 4.1.7.F, which
> claims to
> have fixed the issue, was released on 19th May 2005.
>
> 7. References:
>
> Cisco Bug ID CSCeg00323 "vpn3k - inconsistent behavior on scanning".
> NTA Monitor advisory
> http://www.nta-monitor.com/news/vpn-flaws/cisco/VPN-Concentrat
> or/index.htm
>
> 8. Other Information:
>
> This is one of the classes of vulnerability discussed in the
> VPN flaws
> whitepaper, which was released in January 2005. This whitepaper is
> available at:
> http://www.nta-monitor.com/news/vpn-flaws/VPN-Flaws-Whitepaper.pdf
>
> Roy Hills
>
>
> --
> Roy Hills Tel: +44 1634 721855
> NTA Monitor Ltd FAX: +44 1634 721844
> 14 Ashford House, Beaufort Court,
> Medway City Estate, Email:
> Roy.Hills@nta-monitor.com
> Rochester, Kent ME2 4FA,
> UK WWW: http://www.nta-monitor.com/
>
- application/octet-stream attachment: cisco-vpn-grpname-adv.txt.asc
- Previous message: Martin Pitt: "[USN-146-1] Ruby vulnerability"
- Maybe in reply to: Roy Hills: "Cisco VPN Concentrator Groupname Enumeration Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
