• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Multiple Vendor IKE Insecure XAUTH Implementation Vulnerabilities

Severity: MODERATE

Description:

IKE is the Internet Key Exchange protocol. It is used for the negotiation of authentication and encryption methods and keys during VPN session initiation.

IKE, when implemented with 'XAUTH' extensions, has been reported prone to sensitive information disclosure.

The vulnerability has been reported to result from a weaknesses in XAUTH when used as an extension of IKE. For example, when IKE is configured to use a 'group-password' and then transmit a second authenticator employing XAUTH. Specifically, the server does not have to be authorized to the client in an XAUTH based IKE negotiation. This issue may provide for a circumstance, where an attacker with a malicious IKE server implementing XAUTH, may be authorized with a client and the client may pass sensitive data to the malicious server, without suspecting that the malicious server is not in fact a legitimate server for this transaction.

This could potentially be exploited by an attacker to carry out a session to a legitimate server, as the client who leaked the sensitive information. Other attacks would also be possible.

IETF has not recommended the use of XAUTH as an extension of IKE.

It should be noted that the researcher specifically mentioned that certain vendor VPN clients as being vulnerable, however it was also mentioned that only some devices/products are vulnerable under specific configurations.

At the time of writing, no confirmation has been made by Symantec regarding which products/devices are directly affected. At this time all vendor VPN clients have been added as potentially vulnerable. These details will be modified and/or clarified, as further information is made available.

Although specific vendor product versions affected by this issue are not currently known, the researcher has stated that the following vendors are or may be affected: Cisco, Nortel, MovianVPN, SafeNet, Certicom, and Funk AdmitOne. It should be noted that other vendors/products may be affected as well.

Affected Products:

• Certicom MovianVPN 0.0.0
• Cisco VPN 3000 Concentrator 2.0.0
• Cisco VPN 3000 Concentrator 2.5.2(A)
• Cisco VPN 3000 Concentrator 2.5.2(B)
• Cisco VPN 3000 Concentrator 2.5.2(C)
• Cisco VPN 3000 Concentrator 2.5.2(D)
• Cisco VPN 3000 Concentrator 2.5.2(F)
• Cisco VPN 3000 Concentrator 3.0.0
• Cisco VPN 3000 Concentrator 3.0.0
• Cisco VPN 3000 Concentrator 3.0.3(A)
• Cisco VPN 3000 Concentrator 3.0.3(B)
• Cisco VPN 3000 Concentrator 3.0.4
• Cisco VPN 3000 Concentrator 3.1.0
• Cisco VPN 3000 Concentrator 3.1.0(Rel)
• Cisco VPN 3000 Concentrator 3.1.1
• Cisco VPN 3000 Concentrator 3.1.2
• Cisco VPN 3000 Concentrator 3.1.4
• Cisco VPN 3000 Concentrator 3.5.0(Rel)
• Cisco VPN 3000 Concentrator 3.5.1
• Cisco VPN 3000 Concentrator 3.5.2
• Cisco VPN 3000 Concentrator 3.5.3
• Cisco VPN 3000 Concentrator 3.5.4
• Cisco VPN 3000 Concentrator 3.5.5
• Cisco VPN 3000 Concentrator 3.6.0
• Cisco VPN 3000 Concentrator 3.6.1
• Cisco VPN 3000 Concentrator 3.6.7
• Cisco VPN 3000 Concentrator 3.6.7D
• Cisco VPN 3000 Concentrator 4.0.0
• Cisco VPN 3000 Concentrator 4.0.0.x
• Cisco VPN 3000 Concentrator 4.0.1
• Cisco VPN 3002 Hardware Client 0.0.0
• Cisco VPN 5000 Client for Linux 5.2.6
• Cisco VPN 5000 Client for Linux 5.2.7
• Cisco VPN 5000 Client for Mac OS 5.1.2
• Cisco VPN 5000 Client for Mac OS 5.2.1
• Cisco VPN 5000 Client for Mac OS 5.2.2
• Cisco VPN 5000 Client for Solaris 5.2.7
• Cisco VPN 5000 Client for Solaris 5.2.8
• Cisco VPN Client for Linux 3.5.1
• Cisco VPN Client for Linux 3.5.2
• Cisco VPN Client for Linux 3.5.2B
• Cisco VPN Client for Linux 3.5.4
• Cisco VPN Client for Linux 3.6.0
• Cisco VPN Client for Linux 3.6.1
• Cisco VPN Client for Mac OS X 3.5.1
• Cisco VPN Client for Mac OS X 3.5.2
• Cisco VPN Client for Mac OS X 3.5.2B
• Cisco VPN Client for Mac OS X 3.5.4
• Cisco VPN Client for Mac OS X 3.6.0
• Cisco VPN Client for Mac OS X 3.6.1
• Cisco VPN Client for Mac OS X 4.0.2A
• Cisco VPN Client for Mac OS X 4.0.2C
• Cisco VPN Client for Solaris 3.5.1
• Cisco VPN Client for Solaris 3.5.2
• Cisco VPN Client for Solaris 3.5.2B
• Cisco VPN Client for Solaris 3.5.4
• Cisco VPN Client for Solaris 3.6.0
• Cisco VPN Client for Solaris 3.6.1
• Cisco VPN Client for Solaris 4.0.2A
• Cisco VPN Client for Solaris 4.0.2C
• Cisco VPN Client for Windows 2.0.0
• Cisco VPN Client for Windows 3.0.0
• Cisco VPN Client for Windows 3.0.5
• Cisco VPN Client for Windows 3.1.0
• Cisco VPN Client for Windows 3.5.1
• Cisco VPN Client for Windows 3.5.1C
• Cisco VPN Client for Windows 3.5.2
• Cisco VPN Client for Windows 3.5.2B
• Cisco VPN Client for Windows 3.5.4
• Cisco VPN Client for Windows 3.6.0
• Cisco VPN Client for Windows 3.6.0(Rel)
• Cisco VPN Client for Windows 3.6.1
• Cisco VPN Client for Windows 4.0.2A
• Cisco VPN Client for Windows 4.0.2C

References:

• Cisco: Cisco Security:Cisco IPsec VPN Implementation Group Password Usage Vulnerability

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.