pen-test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: VPN Server

from [Dario Ciccarone (dciccaro)] [Permanent Link][Original]
To: "kapil assudani" <kapil.assudani@yahoo.com>, <pen-test@securityfocus.com>
Subject: RE: VPN Server
From: "Dario Ciccarone (dciccaro)" <dciccaro@cisco.com>
Date: Thu, 25 Jan 2007 01:02:54 -0500
Authentication-results: sj-dkim-7; header.From=dciccaro@cisco.com; dkim=pass ( sig from cisco.com/sjdkim7002 verified; );
Delivered-to: sp-com-lists@consult.net
Delivered-to: pentest-list2@consult.net
Delivered-to: mailing list pen-test@securityfocus.com
Delivered-to: moderator for pen-test@securityfocus.com
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2350; t=1169704975; x=1170568975; c=relaxed/simple; s=sjdkim7002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dciccaro@cisco.com; z=From:=20=22Dario=20Ciccarone=20\(dciccaro\)=22=20<dciccaro@cisco.com> |Subject:=20RE=3A=20VPN=20Server |Sender:=20; bh=mAncWpk7qugbfUrSNlsmdefLmSzy1v/t4MpBj5x0x2Y=; b=g3FjIrvfnF8wtgL3GWsmX8dR/ePt0n/MAkQ2VkidTJ/8alGRMYDyNZiFJBpVv91v3lQBzPah Yh7Jk5WorvZltAdvHt7PMPYG8SKErSRKWtvxSpS/JNhfp4Kc83SfBbQX;
In-reply-to: <912487.78955.qm@web38111.mail.mud.yahoo.com>
List-help: <mailto:pen-test-help@securityfocus.com>
List-id: <pen-test.list-id.securityfocus.com>
List-post: <mailto:pen-test@securityfocus.com>
List-subscribe: <mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list: contact pen-test-help@securityfocus.com; run by ezmlm
References: <912487.78955.qm@web38111.mail.mud.yahoo.com>
Resent-date: Fri, 26 Jan 2007 21:28:42 -0700 (MST)
Resent-from: pen-test-return-1078483467@securityfocus.com
Resent-message-id: <20070127042842.C6480236F57@outgoing3.securityfocus.com>
Resent-sender: listbounce@securityfocus.com
Sender: listbounce@securityfocus.com
Thread-index: AcdANl60vOf2uB34THSzZHeZCtB4qgAD39Jg
Thread-topic: VPN Server 
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kapil:


> Now with the IKE Scan tool , I get the following response frm 
> the vpn server using random ID= values for the group. However 
>  

Which is the expected outcome.

> even though the results say its a vpn concentrator its 
> actuall a cisco pix fw implementing a vpn server, which is 
> fine just a fingerprinting flaw.  On further digging it was 
> found that the vpn server is at proper pacth levels and does 
> not have any groups configured.
> However according to vuln description , following handshake 
> to the aggressive mode should not be returned, and as one can 
> see the returned handshake is successful.  

Nope, it doesn't say that. The Security Notice reads:

"The vulnerability resides in the way those products listed as
affected respond to IKE Phase I messages in Aggressive Mode. If
the group name in the IKE message was a valid group name, the
affected device would reply to the IKE negotiation, while an
invalid group name will not elicit a response."

An attacker wants to know which groups are defined and valid -
so he uses the ike-scan producto to send AM packets to the
device. If he gets an answer, the group is valid. If not, the
group is not valid. What we did was to deny the attacker that
information by replying to the AM message in both cases - if the
group is invalid and also if it is invalid. In that way, there's
no way for the attacker to determine which ones are valid and
which ones aren't.

> So i was wondering is having Aggressive mode configured is a 
> problem here ? Do we recommend disabling agressive mode , if 
> yes what could be the problem. Since no groups are configured 
> , does it boil down to being a problem of fingerprinting the 
> product used for vpn server?
> 
> As it seems it responds to below message for everything used.
> 

Again, which is exactly what you want :)

Thanks,
Dario

Dario Ciccarone <dciccaro@cisco.com>
Incident Manager - CCIE #10395 
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
PGP Key ID: 0xBA1AE0F0
http://www.cisco.com/go/psirt

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRbhIDoyVGB+6GuDwEQKkvACdFZh69lOiywj5hXjAXyAkcXz3D3QAn2O0
6E60omLb9oBEo6ArQrQiFPxW
=dgR9
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • VPN Server, kapil assudani
    • RE: VPN Server, Dario Ciccarone (dciccaro) <=
Previous by Date:  Re: [Full-disclosure] 0trace - traceroute on established connections, Jon Oberheide
Next by Date:  VPN Server, kapil assudani
Previous by Thread:  VPN Server, kapil assudani
Next by Thread:  VPN Server, kapil assudani
Indexes:  [Date] [Thread] [Top] [All Lists]