Clayton Kossmeyer
18/10/05, 23:25
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello -
The Cisco PSIRT is aware of reports that claim the Cisco VPN Client
password encryption uses a breakable algorithm to encrypt user
passwords.
We are aware of reports at the following sites:
http://www.heise.de/newsticker/meldung/64954
http://evilscientists.de/blog/?page_id=339
http://evilscientists.de/blog/?page_id=343
This issue is related to a Security Notice that the Cisco PSIRT
released in October of 2004. Cisco's public announcement can be found
here:
http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml
The Cisco VPN 3000 Series has a configuration option that does not
allow the storage of the user password in the VPN client. For
customers that are concerned about the recovery of the user password,
the following option can be disabled to prevent local storage of the
user password.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee1 f0.html#wp2477015
- - ---------------------
Cisco Client Parameters
Allow Password Storage on Client - Check this box to allow IPSec
clients to store their login passwords on their local client
systems. If you do not allow password storage (the default), IPSec
users must enter their password each time they seek access to the
VPN. For maximum security, we recommend that you not allow password
storage.
- - ---------------------
Note that the default configuration of the VPN 3000 Series does not
allow client password storage. Additionally, this attack only affects
passwords that are static and reused for login to the VPN
network. Customers using one-time passwords (OTP) and certificates to
connect are unaffected.
We do greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in product reports.
Regards,
Clay
Cisco PSIRT
On Sun, Oct 16, 2005 at 09:28:41PM +0200, Thierry Zoller wrote:
>
> Dear List,
>
> [1] heise published a news article today.
> [2] EvilScientists reverse engineered the algorithm Cisco uses to _obscufate_ the
> passwords.
> [3] PoC
>
> Summary :
> Cisco uses 3des to encrypt the passwords, however it does so using
> a deterministic encryption sheme (no user input) and thus must be
> reproducible.
>
> The algorithm [2] found was as follows :
>
> * GetDate - convert to string
> * Generate an SHA Hash from that string h1 (20 Bytes)
> * h1 is modified into Hash h2
> * h1 is modified into Hash h3
> * h2 and the first 4 Bytes from h3 give the 3DES Key
> * The clear text password no encrypted in 3DES CBC Mode. The IV is the first 8 Bytes of h1.
> * If the size of the clear text password is not a multiple of the
> Block size, the differece to the next block is calculcated and padded
> with a Digit. -> length of password is known
> * A last hash is calculated from the encrypted Password h4
> * The value of the Key “enc_UserPassword” is: h1|h4|verschlüsseltes Passwort
>
> Credits:
> [1] http://www.heise.de/newsticker/meldung/64954
> [2] http://evilscientists.de/blog/?page_id=339
> [3] http://www.evilscientists.de/blog/?dl=CiscoPasswordRevealer.rar
> I take no credit I am only translating and forwarding.
>
> --
> Thierry Zoller
> http://thierry.sniff-em.com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (SunOS)
iD8DBQFDVU8DEHa/Ybuq8nARAgVzAJ4mPsT5ThKc4DKJGAa76OuLSPs7CgCdFS+W
BjtwpXaQnRZvaR/UiH+/1wg=
=ivMN
-----END PGP SIGNATURE-----
Hash: SHA1
Hello -
The Cisco PSIRT is aware of reports that claim the Cisco VPN Client
password encryption uses a breakable algorithm to encrypt user
passwords.
We are aware of reports at the following sites:
http://www.heise.de/newsticker/meldung/64954
http://evilscientists.de/blog/?page_id=339
http://evilscientists.de/blog/?page_id=343
This issue is related to a Security Notice that the Cisco PSIRT
released in October of 2004. Cisco's public announcement can be found
here:
http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml
The Cisco VPN 3000 Series has a configuration option that does not
allow the storage of the user password in the VPN client. For
customers that are concerned about the recovery of the user password,
the following option can be disabled to prevent local storage of the
user password.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee1 f0.html#wp2477015
- - ---------------------
Cisco Client Parameters
Allow Password Storage on Client - Check this box to allow IPSec
clients to store their login passwords on their local client
systems. If you do not allow password storage (the default), IPSec
users must enter their password each time they seek access to the
VPN. For maximum security, we recommend that you not allow password
storage.
- - ---------------------
Note that the default configuration of the VPN 3000 Series does not
allow client password storage. Additionally, this attack only affects
passwords that are static and reused for login to the VPN
network. Customers using one-time passwords (OTP) and certificates to
connect are unaffected.
We do greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in product reports.
Regards,
Clay
Cisco PSIRT
On Sun, Oct 16, 2005 at 09:28:41PM +0200, Thierry Zoller wrote:
>
> Dear List,
>
> [1] heise published a news article today.
> [2] EvilScientists reverse engineered the algorithm Cisco uses to _obscufate_ the
> passwords.
> [3] PoC
>
> Summary :
> Cisco uses 3des to encrypt the passwords, however it does so using
> a deterministic encryption sheme (no user input) and thus must be
> reproducible.
>
> The algorithm [2] found was as follows :
>
> * GetDate - convert to string
> * Generate an SHA Hash from that string h1 (20 Bytes)
> * h1 is modified into Hash h2
> * h1 is modified into Hash h3
> * h2 and the first 4 Bytes from h3 give the 3DES Key
> * The clear text password no encrypted in 3DES CBC Mode. The IV is the first 8 Bytes of h1.
> * If the size of the clear text password is not a multiple of the
> Block size, the differece to the next block is calculcated and padded
> with a Digit. -> length of password is known
> * A last hash is calculated from the encrypted Password h4
> * The value of the Key “enc_UserPassword” is: h1|h4|verschlüsseltes Passwort
>
> Credits:
> [1] http://www.heise.de/newsticker/meldung/64954
> [2] http://evilscientists.de/blog/?page_id=339
> [3] http://www.evilscientists.de/blog/?dl=CiscoPasswordRevealer.rar
> I take no credit I am only translating and forwarding.
>
> --
> Thierry Zoller
> http://thierry.sniff-em.com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (SunOS)
iD8DBQFDVU8DEHa/Ybuq8nARAgVzAJ4mPsT5ThKc4DKJGAa76OuLSPs7CgCdFS+W
BjtwpXaQnRZvaR/UiH+/1wg=
=ivMN
-----END PGP SIGNATURE-----