{"vuid":"VU#886601","idnumber":"886601","name":"Internet Key Exchange (IKE) protocol discloses identity when Aggressive Mode shared secret authentication is used","keywords":["Check Point Firewall-1","SecuRemote","Internet Key Exchange","IKE protocol","username","clear text"],"overview":"The Internet Key Exchange (IKE) protocol discloses username information when Aggressive Mode is used for shared secret authentication.","clean_desc":"The Internet Key Exchange (IKE) protocol provides a negotiation mechanism that allows an initiator to establish an encrypted session with a responder. Many firewall and Virtual Private Network (VPN) products use IKE; check your product documentation to determine which modes and authentication methods are used by your product. By design, the IKE protocol does not encrypt the identities of the initiator or responder when performing shared secret authentication in Aggressive Mode. Depending upon your site configuration and need for identity protection, this design choice may represent a vulnerability to your organization.","impact":"Devices that implement this protocol as specified will leak username information while negotiating IKE sessions. This information may be useful for conducting reconnaissance on networks containing an affected device.","resolution":"Use an alternative mode and authentication method The IKE protocol provides many options for both connection mode and authentication method; several combinations provide identity protection. For example, both Main Mode with shared secret authentication and Aggressive Mode with public key authentication provide identity protection.","workarounds":"","sysaffected":"","thanks":"The CERT/CC thanks Roy Hills for reporting this issue.","author":"This document was written by Jeffrey P. Lanza.","public":["http://www.ietf.org/rfc/rfc2409.txt","http://www.checkpoint.com/techsupport/alerts/ike.html","http://www.nta-monitor.com/news/checkpoint.htm","http://www.dsinet.org/?id=2873","http://www.netsys.com/cgi-bin/displaynews?a=382","http://www.securiteam.com/securitynews/5TP040U8AW.html","http://online.securityfocus.com/news/603","http://online.securityfocus.com/archive/1/290202/2002-09-01/2002-09-07/0","http://packetstorm.linuxsecurity.com/advisories/misc/checkpoint.ike.txt"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-08-29T18:16:56Z","publicdate":"2002-09-03T00:00:00Z","datefirstpublished":"2002-09-12T19:49:40Z","dateupdated":"2003-04-04T19:12:23Z","revision":23,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"1","cam_exploitation":"10","cam_internetinfrastructure":"0","cam_population":"14","cam_impact":"1","cam_easeofexploitation":"15","cam_attackeraccessrequired":"15","cam_scorecurrent":"0.6496875","cam_scorecurrentwidelyknown":"1.771875","cam_scorecurrentwidelyknownexploited":"2.3625","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.6496875,"vulnote":null}