Vulnerability Note VU#886601

Internet Key Exchange (IKE) protocol discloses identity when Aggressive Mode shared secret authentication is used

Original Release date: 12 Sep 2002 | Last revised: 04 Apr 2003

Overview

The Internet Key Exchange (IKE) protocol discloses username information when Aggressive Mode is used for shared secret authentication.

Description

The Internet Key Exchange (IKE) protocol provides a negotiation mechanism that allows an initiator to establish an encrypted session with a responder. Many firewall and Virtual Private Network (VPN) products use IKE; check your product documentation to determine which modes and authentication methods are used by your product.

By design, the IKE protocol does not encrypt the identities of the initiator or responder when performing shared secret authentication in Aggressive Mode. Depending upon your site configuration and need for identity protection, this design choice may represent a vulnerability to your organization.

Impact

Devices that implement this protocol as specified will leak username information while negotiating IKE sessions. This information may be useful for conducting reconnaissance on networks containing an affected device.

Solution

Use an alternative mode and authentication method

The IKE protocol provides many options for both connection mode and authentication method; several combinations provide identity protection. For example, both Main Mode with shared secret authentication and Aggressive Mode with public key authentication provide identity protection.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected17 Sep 200220 Sep 2002
Check PointAffected03 Sep 200208 Oct 2002
KAME ProjectAffected24 Sep 200215 Oct 2002
NetBSDAffected17 Sep 200217 Oct 2002
F5 NetworksNot Affected17 Sep 200208 Oct 2002
FreeBSDNot Affected17 Sep 200217 Oct 2002
FujitsuNot Affected17 Sep 200218 Sep 2002
Guardian Digital Inc. Not Affected17 Sep 200202 Oct 2002
Microsoft CorporationNot Affected17 Sep 200230 Sep 2002
MontaVista SoftwareNot Affected17 Sep 200220 Sep 2002
Network ApplianceNot Affected17 Sep 200220 Sep 2002
Sun Microsystems Inc.Not Affected17 Sep 200220 Sep 2002
SuSE Inc.Not Affected17 Sep 200220 Sep 2002
Xerox CorporationNot Affected17 Sep 200204 Apr 2003
3ComUnknown17 Sep 200218 Sep 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks Roy Hills for reporting this issue.

This document was written by Jeffrey P. Lanza.

Other Information

  • CVE IDs: Unknown
  • Date Public: 03 Sep 2002
  • Date First Published: 12 Sep 2002
  • Date Last Updated: 04 Apr 2003
  • Severity Metric: 0.65
  • Document Revision: 23

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.