5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
6.2 Medium
AI Score
Confidence
Low
0.004 Low
EPSS
Percentile
74.0%
Internet Key Exchange (IKE) protocol enabled services running
in / supporting the aggressive mode are prone to an information disclosure vulnerability.
# SPDX-FileCopyrightText: 2021 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.117575");
script_version("2024-06-14T05:05:48+0000");
script_cve_id("CVE-2002-1623");
script_tag(name:"last_modification", value:"2024-06-14 05:05:48 +0000 (Fri, 14 Jun 2024)");
script_tag(name:"creation_date", value:"2021-07-23 09:03:46 +0000 (Fri, 23 Jul 2021)");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_tag(name:"cvss_base", value:"5.0");
script_name("Internet Key Exchange (IKE) Aggressive Mode Information Disclosure Vulnerability (CVE-2002-1623)");
script_category(ACT_ATTACK);
script_family("General");
script_copyright("Copyright (C) 2021 Greenbone AG");
script_dependencies("gb_ike_isakmp_udp_detect.nasl");
script_require_udp_ports("Services/udp/isakmp", 500);
script_mandatory_keys("isakmp/v1.0/udp/detected");
script_xref(name:"URL", value:"https://www.kb.cert.org/vuls/id/886601");
script_xref(name:"URL", value:"https://web.archive.org/web/20120203011907/http://www.nta-monitor.com/posts/2003/01/checkpoint-main.html");
script_xref(name:"URL", value:"https://marc.info/?l=bugtraq&m=103124812629621&w=2");
script_xref(name:"URL", value:"https://marc.info/?l=bugtraq&m=103176164729351&w=2");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/7423");
script_tag(name:"summary", value:"Internet Key Exchange (IKE) protocol enabled services running
in / supporting the aggressive mode are prone to an information disclosure vulnerability.");
script_tag(name:"vuldetect", value:"Sends IKE aggressive mode connection requests with
Pre-Shared Key (PSK) authentication enabled and checks the response.");
script_tag(name:"insight", value:"The design of the IKE protocol, when using Aggressive Mode for
shared secret authentication (PSK), does not encrypt initiator or responder identities during
negotiation.
Please see the references for more technical / background info.");
script_tag(name:"impact", value:"The flaw may allow remote attackers to determine valid usernames
by monitoring responses before the password is supplied or sniffing.");
script_tag(name:"affected", value:"Internet Key Exchange (IKE) protocol enabled services running
in / supporting the aggressive mode with Pre-Shared Key (PSK) authentication enabled might be
affected.");
script_tag(name:"solution", value:"Use an alternative mode and authentication method.
The IKE protocol provides many options for both connection mode and authentication method, several
combinations provide identity protection. For example, both Main Mode with shared secret
authentication and Aggressive Mode with public key authentication provide identity protection.");
script_tag(name:"qod_type", value:"remote_active");
script_tag(name:"solution_type", value:"Mitigation");
exit(0);
}
include("port_service_func.inc");
include("ike_isakmp_func.inc");
include("host_details.inc");
include("misc_func.inc");
include("byte_func.inc");
include("version_func.inc");
include("dump.inc");
include("pcap_func.inc");
include("list_array_func.inc");
proto = "udp";
port = service_get_port( default:500, proto:"isakmp", ipproto:proto );
# nb: Only IKE / ISAKMP v1.0 is affected...
if( ! get_kb_item( "isakmp/v1.0/" + proto + "/" + port + "/detected" ) )
exit( 0 );
auth_method_list = make_list( "psk" );
encryption_algo_list = make_list( "des", "3des", "aes/128", "aes/192", "aes/256" );
hash_algo_list = make_list( "md5", "sha1" );
group_desc_list = make_list( "768", "1024", "1536", "2048", "3072", "4096", "6144", "8192" );
dhgroup_list = make_list( 1, 2, 5, 14, 15, 16, 17, 18 );
this_host = this_host();
foreach auth_method( auth_method_list ) {
foreach encryption_algo( encryption_algo_list ) {
foreach hash_algo( hash_algo_list ) {
foreach group_desc( group_desc_list ) {
transform = isakmp_create_transforms_packet_single( encryption_algo:encryption_algo, auth_method:auth_method, hash_algo:hash_algo, group_desc:group_desc, max_transforms:1, current_transform:1 );
if( ! transform )
continue;
foreach dhgroup( dhgroup_list ) {
my_initiator_spi = rand_str( length:8, charset:"abcdefghiklmnopqrstuvwxyz0123456789" );
req = isakmp_create_request_packet( port:port, ipproto:proto, exchange_type:"Aggressive", transforms:transform, transforms_num:1, initiator_spi:my_initiator_spi, dhgroup:dhgroup, aggressive_mode_id:this_host );
if( ! req )
continue;
res = isakmp_send_recv( port:port, data:req, initiator_spi:my_initiator_spi, proto:proto, use_pcap:TRUE, debug:FALSE );
# nb: Basic validity / response check. A few IKE implementations are reporting this string.
if( ! res || "Could not find acceptable proposal" >< res )
continue;
# nb: isakmp_send_recv is already internally handling a received length < 28 so no extra
# response length check required here.
next_payload = res[16];
exchange_type = res[18];
if( isnull( next_payload ) || isnull( exchange_type ) )
continue;
# If we're receiving both the remote host has accepted our proposal.
if( next_payload == PAYLOADS_RAW["Security Association"] && exchange_type == EXCHANGE_TYPES_RAW["Aggressive"] ) {
# nb:
# - Store the reference from this one to gb_ike_isakmp_udp_detect.nasl to show a
# cross-reference within the reports
# - We don't want to use get_app_* functions as we're only interested in the
# cross-reference here
register_host_detail( name:"detected_by", value:"1.3.6.1.4.1.25623.1.0.117461" ); # gb_ike_isakmp_udp_detect.nasl
register_host_detail( name:"detected_at", value:port + "/udp" );
info = make_array();
info["Authentication-Method"] = auth_method;
info["Encryption-Algorithm"] = encryption_algo;
info["Hash-Algorithm"] = hash_algo;
info["Group-Description"] = group_desc;
info["Diffie Hellman Group"] = dhgroup;
report = 'The remote host is accepting Aggressive Mode connections with the following proposal:\n\n';
report += text_format_table( array:info, sep:" | ", columnheader:make_list( "Type", "Value" ) );
security_message( port:port, proto:proto, data:report );
exit( 0 );
}
}
}
}
}
}
exit( 99 );