Cisco VPN password recovery program

Andrea Pasquinucci cesare at ucci.it
Wed Oct 19 11:14:46 EDT 2005


On Wed, Oct 19, 2005 at 10:29:19AM -0400, Perry E. Metzger wrote:
* 
* Via cryptome:
* 
* http://evilscientists.de/blog/?page_id=343
* 
*    The Cisco VPN Client uses weak encryption to store user and group
*    passwords in your local profile file.  I coded a little tool to
*    reveal the saved passwords from a given profile file.
* 
* If this is true, it doesn't sound like Cisco used a particularly smart
* design for this.
* 

Only for information, here is Cisco reply as passed on 
full-disclosure at lists.grok.org.uk and bugtraq at securityfocus.com

Andrea

================================================================
From: Clayton Kossmeyer <ckossmey at cisco.com>
Subject: Re: [Full-disclosure] Ciscos VPN-Client-Passwords can be decrypted
Date: Tue, 18 Oct 2005 16:06:05 -0400
To: full-disclosure at lists.grok.org.uk
Cc: bugtraq at securityfocus.com, psirt at cisco.com


Hello -

The Cisco PSIRT is aware of reports that claim the Cisco VPN Client
password encryption uses a breakable algorithm to encrypt user
passwords.

We are aware of reports at the following sites:

   http://www.heise.de/newsticker/meldung/64954
   http://evilscientists.de/blog/?page_id=339
   http://evilscientists.de/blog/?page_id=343

This issue is related to a Security Notice that the Cisco PSIRT
released in October of 2004.  Cisco's public announcement can be found
here:

http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml

The Cisco VPN 3000 Series has a configuration option that does not
allow the storage of the user password in the VPN client. For
customers that are concerned about the recovery of the user password,
the following option can be disabled to prevent local storage of the
user password.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee1f0.html#wp2477015

- - ---------------------

Cisco Client Parameters

Allow Password Storage on Client - Check this box to allow IPSec
clients to store their login passwords on their local client
systems. If you do not allow password storage (the default), IPSec
users must enter their password each time they seek access to the
VPN. For maximum security, we recommend that you not allow password
storage.

- - ---------------------

Note that the default configuration of the VPN 3000 Series does not
allow client password storage. Additionally, this attack only affects
passwords that are static and reused for login to the VPN
network. Customers using one-time passwords (OTP) and certificates to
connect are unaffected.

We do greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in product reports.

Regards,

Clay
Cisco PSIRT



--
Andrea Pasquinucci                     cesare at ucci.it
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F  CCBB CB51 2983 6494 0DA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20051019/ba4446c8/attachment.pgp>


More information about the cryptography mailing list