Date: 01 December 2010
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.1089
Cisco Security Response: Cisco IPSec VPN Implementation
Group Name Enumeration Vulnerability
1 December 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco ASA 5500 Series Adaptive Security Appliances
Cisco PIX 500 Series Security Appliances
Cisco VPN 3000 Series Concentrators (models 3005, 3015,
3020, 3030, 3060, and 3080)
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2010-4354
Original Bulletin:
http://www.cisco.com/en/US/products/products_security_response09186a0080b5992c.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Security Response: Cisco IPSec VPN Implementation Group Name Enumeration
Vulnerability
http://www.cisco.com/en/US/products/products_security_response09186a0080b5992c.html
Revision 1.0
For Public Release 2010 November 29 1600 UTC (GMT)
Cisco Response
This Cisco Security Response is an updated version of an original Cisco
Security Notice (http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml)
in response to the Cisco VPN Concentrator Group Name Enumeration Vulnerability
advisory published on June 20, 2005, by NTA Monitor at
http://www.nta-monitor.com/news/vpn-flaws/cisco/VPN-Concentrator/index.htm
A further Cisco VPN Concentrator Group Name Enumeration Vulnerability that
affects the Cisco PIX, Cisco VPN 3000 Concentrator, and Cisco ASA was reported
to Cisco by Gavin Jones of NGS Secure. This vulnerability does not affect
Cisco IOS Software.
This Security Response is posted at
http://www.cisco.com/warp/public/707/cisco-sr-20101124-vpn-grpname.shtml, with
the original security notice posted at:
http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml.
Additional Information
This vulnerability allows an attacker to discover which group names are
configured and valid on those Cisco devices listed as affected in the Affected
Products section. It only affects customers using a PSK (pre-shared key) for
group authentication in a remote access VPN scenario. Site-to-site VPNs
(either using a PSK or certificates), customers using remote access VPNs with
certificates, or customers using the VPN 3000 Concentrator feature called
'Mutual Group Authentication' are not affected by this vulnerability.
The vulnerability resides in the way those products listed as affected respond
to IKE Phase I messages in Aggressive Mode. If the group name in the IKE
message was a valid group name, the affected device would reply to the IKE
negotiation, while an invalid group name will not elicit a response.
Once a valid group name has been identified, the attacker can use the
information contained in the reply packet sent by the affected device to mount
an off-line attack and try to discover the PSK used for group authentication.
If the off-line attack is successful and the PSK is recovered, the information
could then be used to attempt a MiTM (Man-in-the-Middle) attack against
sessions being initiated by remote VPN clients towards the affected device.
The additional Group Name Enumeration Vulnerability is documented in the
following Bug ID (registered customers only):
* CSCtj96108 - Group enumeration possible on ASA
Affected Products
The following products are affected by this vulnerability:
* Cisco ASA 5500 Series Adaptive Security Appliances
* Cisco PIX 500 Series Security Appliances
* Cisco VPN 3000 Series Concentrators (models 3005, 3015, 3020, 3030, 3060,
and 3080)
Cisco IOS Software is not affected by this vulnerability.
No other Cisco products are currently known to be affected by this
vulnerability.
Software Versions and Fixes
Due to end-of-life status of the Cisco PIX 500 Series Security Appliances and
the Cisco VPN 3000 Series Concentrators, no fixed software will be made
available for these products.
A fix will be made available for the Cisco ASA 5500 Series Adaptive Security
Appliances. Once the Cisco Bug Id CSCtj96108 ( registered customers only) shows
a status of verified, the "Fixed-In" field will display the first fixed release
of system software.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the
distribution URL in the following section is an uncontrolled copy, and may lack
important information or contain factual errors.
Revision History
Revision 1.0
2010-November-29
Initial public release
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products,
obtaining assistance with security incidents, and registering to receive
security information from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at http://www.cisco.com/go/psirt.
Updated: Nov 29, 2010 Document ID: 112227
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFM9dBB/iFOrG6YcBERAqQ+AJ94+HIZUypXQlhJVHBmRiR5/VU//ACfVQ3t
aIQa8pJmW6cfaNOFv52p3nw=
=xmMg
-----END PGP SIGNATURE-----
|