|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
KAME Project Information for VU#886601
| Date Notified: | 2002-09-24 |
| Date Updated: | |
| Statement Date: | |
| Status Summary: | Vulnerable |
Vendor StatementThough it is true that, with aggressive mode, identification data will be transmitted in clear, identification data can be anything - it is just a string. It doesn't necessarily reflect any of user accounts on a system.
For our implementation, the identification data is just a string, and has no relationship whatsoever with UNIX accounts or other sensitive data. Also, the shared secret used for shared secret authentication is totally separate from UNIX passwords. (of course, if a user chooses to configure identification string/shared secret to be equal to UNIX account name/password, it can be done)
So the severity really depends on how a user configures our program.Vendor InformationThe vendor has not provided us with any further information regarding this vulnerability.
AddendumThe CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |