search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Internet Key Exchange (IKE) protocol discloses identity when Aggressive Mode shared secret authentication is used

Vulnerability Note VU#886601

Original Release Date: 2002-09-12 | Last Revised: 2003-04-04

Overview

The Internet Key Exchange (IKE) protocol discloses username information when Aggressive Mode is used for shared secret authentication.

Description

The Internet Key Exchange (IKE) protocol provides a negotiation mechanism that allows an initiator to establish an encrypted session with a responder. Many firewall and Virtual Private Network (VPN) products use IKE; check your product documentation to determine which modes and authentication methods are used by your product.

By design, the IKE protocol does not encrypt the identities of the initiator or responder when performing shared secret authentication in Aggressive Mode. Depending upon your site configuration and need for identity protection, this design choice may represent a vulnerability to your organization.

Impact

Devices that implement this protocol as specified will leak username information while negotiating IKE sessions. This information may be useful for conducting reconnaissance on networks containing an affected device.

Solution

Use an alternative mode and authentication method

The IKE protocol provides many options for both connection mode and authentication method; several combinations provide identity protection. For example, both Main Mode with shared secret authentication and Aggressive Mode with public key authentication provide identity protection.

Vendor Information

886601
Expand all

Apple Computer Inc.

Notified:  September 17, 2002 Updated:  September 20, 2002

Status

  Vulnerable

Vendor Statement

Mac OS X 10.2 (Jaguar) supports the IKE protocol. IKE is turned off by default, and there is no easy way to enable its operation in our default system configuration. There are no components in Mac OS X that make use of IKE. The Aggressive Mode negotiation mode of IKE is a protocol that certain users may wish to use in certain circumstances, and we do not at this time plan to remove this standard protocol from Mac OS X.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Check Point

Notified:  September 03, 2002 Updated:  October 08, 2002

Status

  Vulnerable

Vendor Statement

This information will also be published at http://www.checkpoint.com/techsupport/alerts.

Check Point Statement on use of IKE Aggressive Mode

A document has recently been published alleging vulnerabilities in the Check Point VPN-1/FireWall-1 product, involving the use of SecuRemote/SecureClient and IKE Aggressive mode. Check Point does not recommend the use of IKE Aggressive Mode, because of many well-known limitations in the protocol, and the Check Point products offer much more secure alternatives.

In the vulnerability claim document, two issues were presented:
1) usernames are passed in cleartext using IKE Aggressive Mode
2) usernames are susceptible to brute-force guessing when using IKE Aggressive Mode

The first item is merely an accurate description of the IKE protocol. Check Point has no bug or vulnerability, but has correctly implemented the IKE standard for Aggressive Mode. The passing of usernames in cleartext is common to any vendors of IKE products who support Aggressive Mode. The claim of a vulnerability is incorrect.

Because of such well-known weaknesses in the IKE Aggressive Mode standard, Check Point authored and published an extension called Hybrid Mode which allows the secure use of all supported authentication schemes (e.g., RADIUS or TACACS) without sending usernames in cleartext. This extension has been incorporated in the product since the 4.1 SP1 release (February 2000), with
hybrid mode recommended over Aggressive Mode for enhanced security.

The second item exists only in VPN-1/FireWall-1 v4.1 modules which are still configured to support SecuRemote/SecureClient connections using IKE Aggressive Mode, despite the availability of more secure options in the product. Note, again, that the guessable usernames in this scenario are, by design of the IKE protocol, sent in cleartext. By default, Aggressive Mode is not enabled in NG. In 4.1, the recommended configuration is to disable Aggressive Mode and use Hybrid Mode instead (which involves no change to the user experience).

Scott Walker Register
FireWall-1 Product Manager
Check Point Software Technologies, Inc.
ph: 561.989.5418 fax: 561.997.9392

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

KAME Project

Notified:  September 24, 2002 Updated:  October 15, 2002

Status

  Vulnerable

Vendor Statement

Though it is true that, with aggressive mode, identification data will be transmitted in clear, identification data can be anything - it is just a string. It doesn't necessarily reflect any of user accounts on a system.

For our implementation, the identification data is just a string, and has no relationship whatsoever with UNIX accounts or other sensitive data. Also, the shared secret used for shared secret authentication is totally separate from UNIX passwords. (of course, if a user chooses to configure identification string/shared secret to be equal to UNIX account name/password, it can be done)

So the severity really depends on how a user configures our program.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  September 17, 2002 Updated:  October 17, 2002

Status

  Vulnerable

Vendor Statement

See KAME's statement, as NetBSD uses racoon IKE daemon from KAME.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

KAME Project Information for VU#886601 is located at http://www.kb.cert.org/vuls/id/JPLA-5EQRD2.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks

Notified:  September 17, 2002 Updated:  October 08, 2002

Status

  Not Vulnerable

Vendor Statement

F5 products do not include IPSEC or IKE, and are therefore not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  September 17, 2002 Updated:  October 17, 2002

Status

  Not Vulnerable

Vendor Statement

FreeBSD does not ship an IKE daemon by default and therefore is not vulnerable. The KAME IKE daemon is available via the ports collection, see KAME's statement for information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

KAME Project Information for VU#886601 is located at http://www.kb.cert.org/vuls/id/JPLA-5EQRD2.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Not Vulnerable

Vendor Statement

Fujitsu's UXP/V operating system does not support the IKE protocol.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc.

Notified:  September 17, 2002 Updated:  October 02, 2002

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  September 17, 2002 Updated:  September 30, 2002

Status

  Not Vulnerable

Vendor Statement

Microsoft products are not affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software

Notified:  September 17, 2002 Updated:  September 20, 2002

Status

  Not Vulnerable

Vendor Statement

We do not currently support an implementation of the IKE protocol. We may support such features in the future... at that time we will be sure to pay attention to VU#886601 and any other advisories for IKE.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Appliance

Notified:  September 17, 2002 Updated:  September 20, 2002

Status

  Not Vulnerable

Vendor Statement

NetApp products are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Notified:  September 17, 2002 Updated:  September 20, 2002

Status

  Not Vulnerable

Vendor Statement

FreeS/WAN does not support aggressive mode and is therefore not vulnerable to the attack you are describing. We do not ship any other IKE implemenatations than FreeS/WAN and we do not plan any updates based on VU#886601.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  September 17, 2002 Updated:  September 20, 2002

Status

  Not Vulnerable

Vendor Statement

The Solaris in.iked daemon for Internet Key Exchange (IKE) [new to Solaris 9] and the SunScreen 3.2 ss_iked daemon for Internet Key Exchange (IKE) are not vulnerable to the issues described in this report. Both IKE daemons do not implement aggressive mode and therefore the vulnerabilities described in this report do not affect the Sun IKE daemons, in.iked and ss_iked, both daemons do
not send username information in the clear.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xerox Corporation

Notified:  September 17, 2002 Updated:  April 04, 2003

Status

  Not Vulnerable

Vendor Statement

A response to this vulnerability is available from our web site: http://www.xerox.com/security.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

3Com

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems Inc.

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Notified:  September 17, 2002 Updated:  October 08, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Computer Associates

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  September 17, 2002 Updated:  October 08, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intel

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lachman

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Software

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lucent Technologies

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Multinet

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  September 17, 2002 Updated:  October 08, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle Corporation

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux)

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO UnixWare)

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisphere Networks

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Inc.

Notified:  September 17, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The CERT/CC thanks Roy Hills for reporting this issue.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: None
Severity Metric: 0.65
Date Public: 2002-09-03
Date First Published: 2002-09-12
Date Last Updated: 2003-04-04 19:12 UTC
Document Revision: 23

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.