Jochen,
> Is there any vulnerability if i doesn´t use aggresive mode?
we're debating the exact nature of the vulnerability
internally here, but I do believe there is. Note that CP do
not claim Main Mode protects you, they claim Main Mode leads
to encryption of the attacking packet.
In Main Mode, identity protection might have your back - but
with SecuRemote, that sort of goes out of the window.
We know the vulnerability is in ASN.1. We know Main Mode
Packet 1 is not sufficient to exploit. We know Aggressive
Mode Packet 1 is sufficient to exploit.
Aggressive Mode Packet 1: SA with Proposals, Key Exchange
(Diffie Hellmann Public), Vendor ID, Nonce
Main Mode Packet 1: SA with Proposals, Vendor ID
Main Mode Packet 2: SA with Proposal Accepted, Vendor ID <-
identity protection here, must come from a valid peer -- of
course, with SecuRemote/SecureClient, everyone is a valid peer
Main Mode Packet 3: Key Exchange (Diffie Hellmann Public), Nonce
By Main Mode Packet 3, everything that would have been sent
in Aggressive Mode Packet 1 has been sent. ASN.1 is used for
DH; I think it might also be used for the Nonce. My money's
on the DH Public Key as the culprit, though.
So I do have a viable attack vector if I can get VPN-1 to respond to me with
a Proposal. Which, again, shouldn't be too hard due to
SecuRemote/SecureClient. Not sure how VPN-1 behaves when
"export for SR" is disabled - that would have to go into the
lab. For site-to-site only, that might be a protection.
In short: Yep, you're vulnerable in Main Mode. Block IKE (implied_rules.def or
on the router), or if that is not an option, patch.
Regards
Thorsten Behrens
Please note that:
1. This e-mail may constitute privileged information. If you are not the
intended recipient, you have received this confidential email and any
attachments transmitted with it in error and you must not disclose, copy,
circulate or in any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons and in
accordance with lawful business practices.
3. The contents of this email are those of the individual and do not
necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations are
subject to contract.
5. The company accepts no responsibility once an e-mail and any attachments is
sent.
http://www.integralis.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
