On Wed, Oct 19, 2005 at 10:29:19AM -0400, Perry E. Metzger wrote: * * Via cryptome: * * http://evilscientists.de/blog/?page_id=343 * * The Cisco VPN Client uses weak encryption to store user and group * passwords in your local profile file. I coded a little tool to * reveal the saved passwords from a given profile file. * * If this is true, it doesn't sound like Cisco used a particularly smart * design for this. *
Only for information, here is Cisco reply as passed on full-disclosure@lists.grok.org.uk and bugtraq@securityfocus.com Andrea ================================================================ From: Clayton Kossmeyer <[EMAIL PROTECTED]> Subject: Re: [Full-disclosure] Ciscos VPN-Client-Passwords can be decrypted Date: Tue, 18 Oct 2005 16:06:05 -0400 To: full-disclosure@lists.grok.org.uk Cc: bugtraq@securityfocus.com, [EMAIL PROTECTED] Hello - The Cisco PSIRT is aware of reports that claim the Cisco VPN Client password encryption uses a breakable algorithm to encrypt user passwords. We are aware of reports at the following sites: http://www.heise.de/newsticker/meldung/64954 http://evilscientists.de/blog/?page_id=339 http://evilscientists.de/blog/?page_id=343 This issue is related to a Security Notice that the Cisco PSIRT released in October of 2004. Cisco's public announcement can be found here: http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml The Cisco VPN 3000 Series has a configuration option that does not allow the storage of the user password in the VPN client. For customers that are concerned about the recovery of the user password, the following option can be disabled to prevent local storage of the user password. http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee1f0.html#wp2477015 - - --------------------- Cisco Client Parameters Allow Password Storage on Client - Check this box to allow IPSec clients to store their login passwords on their local client systems. If you do not allow password storage (the default), IPSec users must enter their password each time they seek access to the VPN. For maximum security, we recommend that you not allow password storage. - - --------------------- Note that the default configuration of the VPN 3000 Series does not allow client password storage. Additionally, this attack only affects passwords that are static and reused for login to the VPN network. Customers using one-time passwords (OTP) and certificates to connect are unaffected. We do greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports. Regards, Clay Cisco PSIRT -- Andrea Pasquinucci [EMAIL PROTECTED] PGP key: http://www.ucci.it/ucci_pub_key.asc fingerprint = 569B 37F6 45A4 1A17 E06F CCBB CB51 2983 6494 0DA2
pgpOUn01KQ4HV.pgp
Description: PGP signature