Risk: High
Security experts have uncovered a potentially serious vulnerability in Cisco's VPN 3000 series Concentrator products while performing a VPN security test for a customer.
According to NTA Monitor, who published a White Paper in January 2005, the flaw affects remote access VPNs with Pre Shared Key (PSK) authentication, and is the first step to gaining access to the network by allowing an attacker to use a dictionary or brute-force attack to determine valid group names on the concentrator.
Roy Hills, technical director at NTA Monitor, explained that the issue centres on the way in which the concentrator responds to valid and invalid group names.
"This permits an attacker to enumerate valid group names on a Cisco VPN concentrator through either a dictionary attack or a brute-force attack," he said.
"Once a valid group name is determined, the attacker can use this to obtain a hash from the concentrator, which can then be cracked offline to determine the group password".
"As the password-guessing process is offline, it will not cause the concentrator to log any authentication failures."
NTA monitor warned that, once an attacker has a valid group name and group password, it becomes possible to mount a 'man-in-the-middle' attack against the XAUTH user authentication mechanism.
Successfully carrying out such an attack would allow the hacker to snoop on or alter VPN traffic, or gain access to the network protected by the VPN.
The security testing company further warned that man-in-the-middle attacks work even if strong authentication such as SecurID is used.
"In practice, most concentrators are configured for remote access with PSK authentication, so this bug will affect the majority of users. Site-to-site VPN operation is not affected, nor is remote access with certificate authentication," NTA Monitor stated.
The issue is believed to affect all Cisco VPN 3000 Concentrator models (3005, 3015, 3020, 3030, 3060 and 3080) and all software versions prior to 4.1.7.F are vulnerable.
There is no specific workaround to prevent the discovery of valid group names on affected software versions using PSK as the authentication mechanism in remote access scenarios.
Users who are concerned about secondary exploitation (off-line PSK recovery, MiTM attacks) can apply the following mitigation strategies:
Use strong passwords as keys and change them frequently. This is the most effective way to mitigate dictionary attacks. The VPN Concentrator accepts passwords from 4 to 32 characters in length, including combinations of uppercase/lowercase letters, numbers, and additional characters (excluding '\' and '@').
Deploy a feature called 'Mutual Group Authentication'. Additional information about this feature can be found at the following URLs:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel405/405clnt.htm#wp1375735 http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/4_6/admin/vcach1.htm#wp1158315 Sources: http://www.nta-monitor.com/posts/2005/06/cisco-concentrator-groupname-enumeration-vulnerability.html http://www.vnunet.com/vnunet/news/2138475/cisco-under-fire-vpn-flaw