3Com Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Alcatel Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Apple Computer Inc. Affected

Notified:  September 17, 2002 Updated: September 20, 2002

Status

Affected

Vendor Statement

Mac OS X 10.2 (Jaguar) supports the IKE protocol. IKE is turned off by default, and there is no easy way to enable its operation in our default system configuration. There are no components in Mac OS X that make use of IKE. The Aggressive Mode negotiation mode of IKE is a protocol that certain users may wish to use in certain circumstances, and we do not at this time plan to remove this standard protocol from Mac OS X.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

AT&T Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

BSDI Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Check Point Affected

Notified:  September 03, 2002 Updated: October 08, 2002

Status

Affected

Vendor Statement

This information will also be published at http://www.checkpoint.com/techsupport/alerts. Check Point Statement on use of IKE Aggressive Mode A document has recently been published alleging vulnerabilities in the Check Point VPN-1/FireWall-1 product, involving the use of SecuRemote/SecureClient and IKE Aggressive mode. Check Point does not recommend the use of IKE Aggressive Mode, because of many well-known limitations in the protocol, and the Check Point products offer much more secure alternatives. In the vulnerability claim document, two issues were presented: 1) usernames are passed in cleartext using IKE Aggressive Mode 2) usernames are susceptible to brute-force guessing when using IKE Aggressive Mode The first item is merely an accurate description of the IKE protocol. Check Point has no bug or vulnerability, but has correctly implemented the IKE standard for Aggressive Mode. The passing of usernames in cleartext is common to any vendors of IKE products who support Aggressive Mode. The claim of a vulnerability is incorrect. Because of such well-known weaknesses in the IKE Aggressive Mode standard, Check Point authored and published an extension called Hybrid Mode which allows the secure use of all supported authentication schemes (e.g., RADIUS or TACACS) without sending usernames in cleartext. This extension has been incorporated in the product since the 4.1 SP1 release (February 2000), with hybrid mode recommended over Aggressive Mode for enhanced security. The second item exists only in VPN-1/FireWall-1 v4.1 modules which are still configured to support SecuRemote/SecureClient connections using IKE Aggressive Mode, despite the availability of more secure options in the product. Note, again, that the guessable usernames in this scenario are, by design of the IKE protocol, sent in cleartext. By default, Aggressive Mode is not enabled in NG. In 4.1, the recommended configuration is to disable Aggressive Mode and use Hybrid Mode instead (which involves no change to the user experience). Scott Walker Register FireWall-1 Product Manager Check Point Software Technologies, Inc. ph: 561.989.5418 fax: 561.997.9392

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Cisco Systems Inc. Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Compaq Computer Corporation Unknown

Notified:  September 17, 2002 Updated: October 08, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Computer Associates Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Conectiva Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Cray Inc. Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Data General Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Debian Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

F5 Networks Not Affected

Notified:  September 17, 2002 Updated: October 08, 2002

Status

Not Affected

Vendor Statement

F5 products do not include IPSEC or IKE, and are therefore not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

FreeBSD Not Affected

Notified:  September 17, 2002 Updated: October 17, 2002

Status

Not Affected

Vendor Statement

FreeBSD does not ship an IKE daemon by default and therefore is not vulnerable. The KAME IKE daemon is available via the ports collection, see KAME's statement for information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

KAME Project Information for VU#886601 is located at http://www.kb.cert.org/vuls/id/JPLA-5EQRD2.

Fujitsu Not Affected

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Not Affected

Vendor Statement

Fujitsu's UXP/V operating system does not support the IKE protocol.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Guardian Digital Inc. Not Affected

Notified:  September 17, 2002 Updated: October 02, 2002

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Hewlett-Packard Company Unknown

Notified:  September 17, 2002 Updated: October 08, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IBM Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Intel Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Juniper Networks Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

KAME Project Affected

Notified:  September 24, 2002 Updated: October 15, 2002

Status

Affected

Vendor Statement

Though it is true that, with aggressive mode, identification data will be transmitted in clear, identification data can be anything - it is just a string. It doesn't necessarily reflect any of user accounts on a system. For our implementation, the identification data is just a string, and has no relationship whatsoever with UNIX accounts or other sensitive data. Also, the shared secret used for shared secret authentication is totally separate from UNIX passwords. (of course, if a user chooses to configure identification string/shared secret to be equal to UNIX account name/password, it can be done) So the severity really depends on how a user configures our program.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lachman Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lotus Software Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lucent Technologies Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MandrakeSoft Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Microsoft Corporation Not Affected

Notified:  September 17, 2002 Updated: September 30, 2002

Status

Not Affected

Vendor Statement

Microsoft products are not affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MontaVista Software Not Affected

Notified:  September 17, 2002 Updated: September 20, 2002

Status

Not Affected

Vendor Statement

We do not currently support an implementation of the IKE protocol. We may support such features in the future... at that time we will be sure to pay attention to VU#886601 and any other advisories for IKE.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Multinet Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NEC Corporation Unknown

Notified:  September 17, 2002 Updated: October 08, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NetBSD Affected

Notified:  September 17, 2002 Updated: October 17, 2002

Status

Affected

Vendor Statement

See KAME's statement, as NetBSD uses racoon IKE daemon from KAME.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

KAME Project Information for VU#886601 is located at http://www.kb.cert.org/vuls/id/JPLA-5EQRD2.

Network Appliance Not Affected

Notified:  September 17, 2002 Updated: September 20, 2002

Status

Not Affected

Vendor Statement

NetApp products are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Nortel Networks Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenBSD Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Openwall GNU/*/Linux Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Oracle Corporation Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Red Hat Inc. Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sequent Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SGI Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sony Corporation Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sun Microsystems Inc. Not Affected

Notified:  September 17, 2002 Updated: September 20, 2002

Status

Not Affected

Vendor Statement

The Solaris in.iked daemon for Internet Key Exchange (IKE) [new to Solaris 9] and the SunScreen 3.2 ss_iked daemon for Internet Key Exchange (IKE) are not vulnerable to the issues described in this report. Both IKE daemons do not implement aggressive mode and therefore the vulnerabilities described in this report do not affect the Sun IKE daemons, in.iked and ss_iked, both daemons do not send username information in the clear.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SuSE Inc. Not Affected

Notified:  September 17, 2002 Updated: September 20, 2002

Status

Not Affected

Vendor Statement

FreeS/WAN does not support aggressive mode and is therefore not vulnerable to the attack you are describing. We do not ship any other IKE implemenatations than FreeS/WAN and we do not plan any updates based on VU#886601.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

The SCO Group (SCO Linux) Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

The SCO Group (SCO UnixWare) Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Unisphere Networks Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Unisys Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Wind River Systems Inc. Unknown

Notified:  September 17, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Xerox Corporation Not Affected

Notified:  September 17, 2002 Updated: April 04, 2003

Status

Not Affected

Vendor Statement

A response to this vulnerability is available from our web site: http://www.xerox.com/security.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

View all 48 vendors View less vendors