{"vuid":"VU#236748","idnumber":"236748","name":"Cisco IOS Easy VPN Server fails to properly process ISAKMP profile attributes","keywords":["Cisco","IOS","Easy VPN Server","unauthorized access","ISAKMP","Xauth","VPN","IPSec security associations","SA","IKE"],"overview":"Cisco IOS Easy VPN Server fails to properly process ISAKMP profile attributes. This may allow a remote, unauthenticated attacker to access the private network.","clean_desc":"Easy VPN Server Cisco IOS Easy VPN Server allows an IOS device to function as a VPN concentrator, providing authentication and encrypted access to network resources. Easy VPN Server was introduced in IOS 12.2(8)T. IPSec IPSec is a set of standards developed by the IETF that provides data confidentiality, integrity, and authentication at the IP layer. IPSec is used by applications such as Virtual Private Networks (VPNs). Internet Key Exchange (IKE) IKE (RFC2409) is a protocol that negotiates and provides authenticated keying material for security associations (SAs) in a protected manner. IKE is accomplished by using a combination of ISAKMP (RFC2408) and other protocols. ISAKMP provides a framework for internet key management. The IKE negotiation process consists of two phases. Phase 1 establishes an ISAKMP SA. Phase 2 is used to create SAs for other security protocols. XAUTH Extended Authentication (XAUTH) is an extension to IKE. It is defined in the expired document draft-ietf-ipsec-isakmp-xauth-06.txt. XAUTH allows IKE to use existing unidirectional authentication mechanisms after the Phase 1 SA has been established. If the ISAKMP profile requires XAUTH, then the client must perform XAUTH authentication after Phase 1 negotiation. The Problem If the ISAKMP profile is specified but the attributes configured in the ISAKMP profile are not processed, the VPN client and server will wait until the SA is torn down by the idle timers. During this time, an attacker can propose Phase 2 negotiation. This may allow the IPSec SA to be fully established.","impact":"A remote attacker may be able to gain unintended access to the private network on the affected device.","resolution":"Apply a patch or upgrade Please refer to the \"Software Versions and Fixes\" section of the Cisco Security Advisory for more information on upgrading.","workarounds":"","sysaffected":"","thanks":"This vulnerability was reported by the Cisco Systems Product Security Incident Response Team (\nPSIRT","author":"This document was written by Will Dormann.","public":["http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml","http://secunia.com/advisories/14853","http://xforce.iss.net/xforce/xfdb/19988","http://www.securityfocus.com/bid/13031","http://securitytracker.com/alerts/2005/Apr/1013654.html","http://www.apps.ietf.org/rfc/rfc2409.html","http://www.ietf.org/html.charters/ipsec-charter.html","http://www.apps.ietf.org/rfc/rfc2408.html"],"cveids":["CVE-2005-1058"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-04-06T18:01:01Z","publicdate":"2005-04-06T00:00:00Z","datefirstpublished":"2005-06-08T18:54:20Z","dateupdated":"2005-06-08T18:55:29Z","revision":13,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"10","cam_exploitation":"0","cam_internetinfrastructure":"11","cam_population":"15","cam_impact":"8","cam_easeofexploitation":"7","cam_attackeraccessrequired":"8","cam_scorecurrent":"2.646","cam_scorecurrentwidelyknown":"3.906","cam_scorecurrentwidelyknownexploited":"6.426","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":2.646,"vulnote":null}