Knowledge Search


×
 

IPSec VPN Username Enumeration Vulnerability

  [JSA10353] Show Article Properties


Legacy Advisory Id:
PSN-2005-08-005
Product Affected:
ScreenOS, JUNOS, JUNOSe
Problem:

Aggressive Mode IKE authentication is insecure by design. When configured in this mode, user identification is not concealed and passes unencrypted on the wire. In addition to this shortcoming Aggressive mode does not generate server reply for invalid users thus allowing for user enumeration. This vulnerability is inherent to the way in which the industry standard IPSec IKE version 1 protocol functions.
Solution:

Customers have a number of choices to address the issue:

Option 1:

Enforce secure practices with regards to VPN parameter selection, and specifically the following:

  1. Username identity: Do not use easily guessable usernames that could facilitate dictionary attacks. ie "ad879s8dv9sdu9a87s" is more secure than "jdoh".

  2. Preshared key: Do not use easily guessable passwords that could facilitate dictionary attacks. ie "sd5563#3.4553skrDqw" is more secure than "john".

  3. Proxy ID: The destination network address should be as specific as possible.
Option 2:

Use "Main Mode" IKE with Certificates issued by a Certificate Authority, rather than "Aggressive Mode" with Pre-shared Keys. Note while this mode is more secure because it provides identity protection, it does require additional planning and resources to implement.

Resources listed under "Related Links" below can be referenced when configuring Main Mode Certificate based VPN tunnels.

Related Links:
Risk Level:
Low
Risk Assessment:
Due to IPSec IKE v1 protocol specification, remote attackers could brute force enumerate VPN usernames when endpoint is configured to accept IKE aggressive Mode authentication.