KAME Project Information for VU#886601
Internet Key Exchange (IKE) protocol discloses identity when Aggressive Mode shared secret authentication is used
- Vendor Information Help Date Notified: 24 Sep 2002
- Statement Date:
- Date Updated: 15 Oct 2002
Though it is true that, with aggressive mode, identification data will be transmitted in clear, identification data can be anything - it is just a string. It doesn't necessarily reflect any of user accounts on a system.
For our implementation, the identification data is just a string, and has no relationship whatsoever with UNIX accounts or other sensitive data. Also, the shared secret used for shared secret authentication is totally separate from UNIX passwords. (of course, if a user chooses to configure identification string/shared secret to be equal to UNIX account name/password, it can be done)
So the severity really depends on how a user configures our program.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.