Overview
The Internet Key Exchange (IKE) protocol discloses username information when Aggressive Mode is used for shared secret authentication.
Description
The Internet Key Exchange (IKE) protocol provides a negotiation mechanism that allows an initiator to establish an encrypted session with a responder. Many firewall and Virtual Private Network (VPN) products use IKE; check your product documentation to determine which modes and authentication methods are used by your product. By design, the IKE protocol does not encrypt the identities of the initiator or responder when performing shared secret authentication in Aggressive Mode. Depending upon your site configuration and need for identity protection, this design choice may represent a vulnerability to your organization. |
Impact
Devices that implement this protocol as specified will leak username information while negotiating IKE sessions. This information may be useful for conducting reconnaissance on networks containing an affected device. |
Solution
Use an alternative mode and authentication method |
Vendor Information
Apple Computer Inc. Affected
Notified: September 17, 2002 Updated: September 20, 2002
Status
Affected
Vendor Statement
Mac OS X 10.2 (Jaguar) supports the IKE protocol. IKE is turned off by default, and there is no easy way to enable its operation in our default system configuration. There are no components in Mac OS X that make use of IKE. The Aggressive Mode negotiation mode of IKE is a protocol that certain users may wish to use in certain circumstances, and we do not at this time plan to remove this standard protocol from Mac OS X.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Check Point Affected
Notified: September 03, 2002 Updated: October 08, 2002
Status
Affected
Vendor Statement
This information will also be published at http://www.checkpoint.com/techsupport/alerts.
Check Point Statement on use of IKE Aggressive Mode
A document has recently been published alleging vulnerabilities in the Check Point VPN-1/FireWall-1 product, involving the use of SecuRemote/SecureClient and IKE Aggressive mode. Check Point does not recommend the use of IKE Aggressive Mode, because of many well-known limitations in the protocol, and the Check Point products offer much more secure alternatives.
In the vulnerability claim document, two issues were presented:
1) usernames are passed in cleartext using IKE Aggressive Mode
2) usernames are susceptible to brute-force guessing when using IKE Aggressive Mode
The first item is merely an accurate description of the IKE protocol. Check Point has no bug or vulnerability, but has correctly implemented the IKE standard for Aggressive Mode. The passing of usernames in cleartext is common to any vendors of IKE products who support Aggressive Mode. The claim of a vulnerability is incorrect.
Because of such well-known weaknesses in the IKE Aggressive Mode standard, Check Point authored and published an extension called Hybrid Mode which allows the secure use of all supported authentication schemes (e.g., RADIUS or TACACS) without sending usernames in cleartext. This extension has been incorporated in the product since the 4.1 SP1 release (February 2000), with
hybrid mode recommended over Aggressive Mode for enhanced security.
The second item exists only in VPN-1/FireWall-1 v4.1 modules which are still configured to support SecuRemote/SecureClient connections using IKE Aggressive Mode, despite the availability of more secure options in the product. Note, again, that the guessable usernames in this scenario are, by design of the IKE protocol, sent in cleartext. By default, Aggressive Mode is not enabled in NG. In 4.1, the recommended configuration is to disable Aggressive Mode and use Hybrid Mode instead (which involves no change to the user experience).
Scott Walker Register
FireWall-1 Product Manager
Check Point Software Technologies, Inc.
ph: 561.989.5418 fax: 561.997.9392
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
KAME Project Affected
Notified: September 24, 2002 Updated: October 15, 2002
Status
Affected
Vendor Statement
Though it is true that, with aggressive mode, identification data will be transmitted in clear, identification data can be anything - it is just a string. It doesn't necessarily reflect any of user accounts on a system.
For our implementation, the identification data is just a string, and has no relationship whatsoever with UNIX accounts or other sensitive data. Also, the shared secret used for shared secret authentication is totally separate from UNIX passwords. (of course, if a user chooses to configure identification string/shared secret to be equal to UNIX account name/password, it can be done)
So the severity really depends on how a user configures our program.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetBSD Affected
Notified: September 17, 2002 Updated: October 17, 2002
Status
Affected
Vendor Statement
See KAME's statement, as NetBSD uses racoon IKE daemon from KAME.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
KAME Project Information for VU#886601 is located at http://www.kb.cert.org/vuls/id/JPLA-5EQRD2.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
F5 Networks Not Affected
Notified: September 17, 2002 Updated: October 08, 2002
Status
Not Affected
Vendor Statement
F5 products do not include IPSEC or IKE, and are therefore not affected by this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD Not Affected
Notified: September 17, 2002 Updated: October 17, 2002
Status
Not Affected
Vendor Statement
FreeBSD does not ship an IKE daemon by default and therefore is not vulnerable. The KAME IKE daemon is available via the ports collection, see KAME's statement for information.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
KAME Project Information for VU#886601 is located at http://www.kb.cert.org/vuls/id/JPLA-5EQRD2.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Not Affected
Notified: September 17, 2002 Updated: September 18, 2002
Status
Not Affected
Vendor Statement
Fujitsu's UXP/V operating system does not support the IKE protocol.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Guardian Digital Inc. Not Affected
Notified: September 17, 2002 Updated: October 02, 2002
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Microsoft Corporation Not Affected
Notified: September 17, 2002 Updated: September 30, 2002
Status
Not Affected
Vendor Statement
Microsoft products are not affected by this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MontaVista Software Not Affected
Notified: September 17, 2002 Updated: September 20, 2002
Status
Not Affected
Vendor Statement
We do not currently support an implementation of the IKE protocol. We may support such features in the future... at that time we will be sure to pay attention to VU#886601 and any other advisories for IKE.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Network Appliance Not Affected
Notified: September 17, 2002 Updated: September 20, 2002
Status
Not Affected
Vendor Statement
NetApp products are not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SuSE Inc. Not Affected
Notified: September 17, 2002 Updated: September 20, 2002
Status
Not Affected
Vendor Statement
FreeS/WAN does not support aggressive mode and is therefore not vulnerable to the attack you are describing. We do not ship any other IKE implemenatations than FreeS/WAN and we do not plan any updates based on VU#886601.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems Inc. Not Affected
Notified: September 17, 2002 Updated: September 20, 2002
Status
Not Affected
Vendor Statement
The Solaris in.iked daemon for Internet Key Exchange (IKE) [new to Solaris 9] and the SunScreen 3.2 ss_iked daemon for Internet Key Exchange (IKE) are not vulnerable to the issues described in this report. Both IKE daemons do not implement aggressive mode and therefore the vulnerabilities described in this report do not affect the Sun IKE daemons, in.iked and ss_iked, both daemons do
not send username information in the clear.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Xerox Corporation Not Affected
Notified: September 17, 2002 Updated: April 04, 2003
Status
Not Affected
Vendor Statement
A response to this vulnerability is available from our web site: http://www.xerox.com/security.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
3Com Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
AT&T Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Alcatel Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
BSDI Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cisco Systems Inc. Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Compaq Computer Corporation Unknown
Notified: September 17, 2002 Updated: October 08, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Computer Associates Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Conectiva Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray Inc. Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Data General Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Unknown
Notified: September 17, 2002 Updated: October 08, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Intel Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Juniper Networks Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Lachman Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Lotus Software Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Lucent Technologies Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MandrakeSoft Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Multinet Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC Corporation Unknown
Notified: September 17, 2002 Updated: October 08, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Nortel Networks Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenBSD Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Openwall GNU/*/Linux Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Oracle Corporation Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat Inc. Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SGI Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sequent Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sony Corporation Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The SCO Group (SCO Linux) Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The SCO Group (SCO UnixWare) Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisphere Networks Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisys Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Wind River Systems Inc. Unknown
Notified: September 17, 2002 Updated: September 18, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.ietf.org/rfc/rfc2409.txt
- http://www.checkpoint.com/techsupport/alerts/ike.html
- http://www.nta-monitor.com/news/checkpoint.htm
- http://www.dsinet.org/?id=2873
- http://www.netsys.com/cgi-bin/displaynews?a=382
- http://www.securiteam.com/securitynews/5TP040U8AW.html
- http://online.securityfocus.com/news/603
- http://online.securityfocus.com/archive/1/290202/2002-09-01/2002-09-07/0
- http://packetstorm.linuxsecurity.com/advisories/misc/checkpoint.ike.txt
Acknowledgements
The CERT/CC thanks Roy Hills for reporting this issue.
This document was written by Jeffrey P. Lanza.
Other Information
| CVE IDs: | None |
| Severity Metric: | 0.65 |
| Date Public: | 2002-09-03 |
| Date First Published: | 2002-09-12 |
| Date Last Updated: | 2003-04-04 19:12 UTC |
| Document Revision: | 23 |