SafeNet SoftRemote VPN Client Password Disclosure Issue

Summary

NTA Monitor have discovered a password disclosure issue in the SafeNet SoftRemote VPN client: The SoftRemote client stores the password in an obfuscated form in the Windows registry, but it also stores the unencrypted password in process memory.

The SafeNet SoftRemote VPN client is widely used for remote access IPsec VPNs. It is available as a product in its own right, also many VPN vendors supply badged-up versions of the client which they ship with their VPN product. The issue has been confirmed in both the SoftRemote product, and also in two badged-up versions. It is suspected that the issue is common to all versions of the client.

SoftRemote is probably the most widely used VPN client. It is known to be used by Netscreen, Gnat Box, Watchguard, and probably many more. It is also often used when clients need to connect to multiple VPNs using different vendors because it is compatible with many VPNs, even when it is not the default client for them.

SafeNet have been notified of this issue, and have produced a fix. It is expected that a new version of the client that addresses this issue will be available soon.

Update April 2006: The fixed versions are HA Remote 1.7.2 and SoftRemote 10.7.2. For OEM versions of the SafeNet client, which may have different version schemes, you can determine the underlying SafeNet version by right-clicking on one of the client files (e.g. spdedit.exe) and looking at the file version number.

SafeNet can be contacted for a fixed version by e-mail at support@safenet-inc.com, or by phone at +1-410-931-7520 internationally, or 1-800-545-6608 within the U.S.

Overview

While performing a VPN test for a customer, NTA Monitor discovered that the VPN client that was being used stored the VPN password (pre-shared key) unencrypted in the memory of the process "IreIKE.exe". It was possible to recover the password by dumping the process memory to a file with PMDump (http://ntsecurity.nu/toolbox/pmdump/) or by crashing the system to obtain a physical memory dump.

This vulnerability only affects connections using Pre-shared keys. Connections using certificates will not be affected. Both NTA Monitor and SafeNet recomend certificate based connections for enhanced security in general.

In the memory dump, the plain-text password is visible near to the name of the connection that it is associated with, e.g. "My Connections\New Connection". As the password appears to be at a fixed offset from the connection name in the memory dump, it would be a simple matter to write a tool to extract the connection name and password.

The IreIKE.exe process decrypts the pre-shared key as soon as it starts up, so there is no need to attempt to connect to the VPN server in order to obtain the password from the client.

The vulnerability was found in both SafeNet version of the client, and also two badged-up versions, which implies that it is common across all versions of the client.

The vulnerability allows anyone with access to the client system to obtain the password. It also allows anyone who has access to the obfuscated password in the client registry or in a policy file (.spd) to use the VPN client to obtain the corresponding plain-text password.

The VPN client registry, and also policy files, contain all the other configuration details needed to gain access to the VPN, such as the username and IP addresses in plain (unencrypted) format. Therefore anyone with access to the VPN client system, or a policy file, can obtain all of the required details to access the VPN.

Details

Here is the VPN client Security Policy Editor application. We use this to configure the VPN client; part of this configuration is the password or "pre-shared key". Notice that one secure connection called "New Connection" is configured in this example.

The VPN password is entered in the dialog box shown below. In this example, we enter "Str0ng$Passw0rd".

Once the VPN is configured, the IreIKE.exe process will contain the plain-text password. The screenshot below shows a process listing with IreIKE.exe highlighted.

PMDump can be used to copy the contents of the IreIKE.exe process memory to a file as shown below. Alternatively it is possible to crash the operating system to obtain a physical memory dump file, which will also contain the password.

The process memory dump file can then be viewed to discover the password. In this example, we use Microsoft Word 2000 to view the file. We can see the name of the secure connection, "New Connection" followed by the plain-text password "Str0ng$Passw0rd" which is highlighted.

Note that the last two characters of the password (in this case "rd") are repeated, so the password in memory shows as "Str0ng$Passw0rdrd". This behaviour is repeatable, and may provide some insight into the decrypting mechanism.

The password is always found a fixed distance from the connection name that it is associated with. This is demonstrated by the screenshot below, which shows the memory dump of the IreIKE.exe process with a different password. It can be seen that this password is at the same location relative to the connection name as the previous password.

Further Information

This issue is one example of a VPN security flaw that NTA Monitor has discovered while performing VPN security testing. We have also published a white paper that discusses the general security issues that we have found to be associated with remote access IPsec VPNs. You can download a copy of this white paper from the following URL: http://www.nta-monitor.com/posts/2005/01/vpn-flaws.html

This advisory was first released on 30th February 2005.

Site disclaimer | Privacy Policy | Terms and Conditions |        Telephone: +44 1634 721 855 | email: sales@nta-monitor.com © NTA Monitor Ltd. 2007