[ISN] Cisco warns of hijack code for VPN gear

From: InfoSec News (isn@private)
Date: Wed Apr 21 2004 - 04:15:56 PDT

Next message: Drew Copley: "[ISN] EEYE: Yahoo! Mail Account Filter Overflow Hijack"

Previous message: InfoSec News: "[ISN] Segal offers $10,000 reward for info on ex-worker"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.nwfusion.com/news/2004/0420ciswarn.html

By Phil Hochmuth
Network World Fusion
04/20/04

Cisco last week warned that hacker software now exists that allows 
attackers to break into a Cisco-based VPN by intercepting VPN 
logon/password data. 

The hacker code takes advantage of a previously reported vulnerability 
in Cisco VPN hardware and software, where Group Passwords are used 
instead of Public Key Infrastructure (PKI) certificates to 
authenticate a VPN user. The exploit code affects the Cisco VPN 3000 
Concentrator, the Cisco VPN client software for Windows and Linux PCs, 
and the VPN 3002 hardware client - a small appliance for connecting 
remote PCs to a Cisco VPN through broadband links. 

The exploit code could be used to emulate an enterprise VPN 
termination device, such as the Cisco VPN Concentrator, and glean VPN 
usernames and passwords from end users. The code could also be used to 
hijack Cisco VPN connections directly from end users. 

According to a Cisco statement, "the Group Password used by the Cisco 
IPSec VPN client is scrambled on the hard drive, but unscrambled in 
memory. This password can now be recovered on both the Linux and 
Microsoft Windows platform implementations of the Cisco IPSec VPN 
client."

This so-called "man-in-the-middle" attack only affects Cisco VPN gear 
using Group Passwords. This is considered a less-secure authentication 
method than PKI certificate exchanges. 

Cisco says there are no workarounds for this problem, and recommends 
that users implement PKI instead of Group Passwords for VPN 
authentication. The company says it will release software that will 
fix the Group Password problem on the VPN 3000 Concentrator, client 
software and hardware client in the third quarter of this year. 

The news of hacker software for this Cisco VPN weakness comes a week 
after Cisco warned of a software flaw that could leave the IPSec VPN 
Module for the Catalyst 6500 switch and 7600 series router susceptible 
to a denial-of-service attack. 



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org

Next message: Drew Copley: "[ISN] EEYE: Yahoo! Mail Account Filter Overflow Hijack"
Previous message: InfoSec News: "[ISN] Segal offers $10,000 reward for info on ex-worker"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 21 2004 - 06:55:07 PDT