Cisco under fire for VPN vulnerability

Security experts have uncovered a potentially serious vulnerability in Cisco's VPN 3000 series Concentrator products while performing a VPN security test for a customer.

According to NTA Monitor, the flaw affects remote access VPNs with groupname authentication, and is the first step to gaining access to the network by allowing an attacker to use a dictionary or brute-force attack to determine valid group names on the concentrator.

Roy Hills, technical director at NTA Monitor, explained that the issue centres on the way in which the concentrator responds to valid and invalid groupnames.

"This permits an attacker to enumerate valid groupnames on a Cisco VPN concentrator through either a dictionary attack or a brute-force attack," he said.

"Once a valid groupname is determined, the attacker can use this to obtain a hash from the concentrator, which can then be cracked offline to determine the group password.

"As the password-guessing process is offline it will not cause the concentrator to log any authentication failures."

NTA monitor warned that, once an attacker has a valid groupname and group password, it becomes possible to mount a 'man-in-the-middle' attack against the XAUTH user authentication mechanism.

Successfully carrying out such an attack would allow the hacker to snoop on or alter VPN traffic, or gain access to the network protected by the VPN.

The security testing company further warned that man-in-the-middle attacks work even if strong authentication such as SecurID is used.

"In practice, most concentrators are configured for remote access with groupname authentication, so this bug will affect the majority of users. Site-to-site VPN operation is not affected, nor is remote access with certificate authentication," NTA Monitor stated.

The issue is believed to affect all Cisco VPN 3000 Concentrator models (3005, 3015, 3020, 3030, 3060 and 3080) and all software versions prior to 4.1.7.F are vulnerable.