Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

IPSec VPN Username Enumeration Vulnerability

0

0

Article ID: JSA10353 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 3.0
Legacy Advisory Id:
PSN-2005-08-005
Product Affected:
ScreenOS, JUNOS, JUNOSe
Problem:

Aggressive Mode IKE authentication is insecure by design. When configured in this mode, user identification is not concealed and passes unencrypted on the wire. In addition to this shortcoming Aggressive mode does not generate server reply for invalid users thus allowing for user enumeration. This vulnerability is inherent to the way in which the industry standard IPSec IKE version 1 protocol functions.
Solution:

Customers have a number of choices to address the issue:

Option 1:

Enforce secure practices with regards to VPN parameter selection, and specifically the following:

  1. Username identity: Do not use easily guessable usernames that could facilitate dictionary attacks. ie "ad879s8dv9sdu9a87s" is more secure than "jdoh".

  2. Preshared key: Do not use easily guessable passwords that could facilitate dictionary attacks. ie "sd5563#3.4553skrDqw" is more secure than "john".

  3. Proxy ID: The destination network address should be as specific as possible.
Option 2:

Use "Main Mode" IKE with Certificates issued by a Certificate Authority, rather than "Aggressive Mode" with Pre-shared Keys. Note while this mode is more secure because it provides identity protection, it does require additional planning and resources to implement.

Resources listed under "Related Links" below can be referenced when configuring Main Mode Certificate based VPN tunnels.

Severity Level:
Low
Severity Assessment:
Due to IPSec IKE v1 protocol specification, remote attackers could brute force enumerate VPN usernames when endpoint is configured to accept IKE aggressive Mode authentication.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search