Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 20, 2002
Affected
Mac OS X 10.2 (Jaguar) supports the IKE protocol. IKE is turned off by default, and there is no easy way to enable its operation in our default system configuration. There are no components in Mac OS X that make use of IKE. The Aggressive Mode negotiation mode of IKE is a protocol that certain users may wish to use in certain circumstances, and we do not at this time plan to remove this standard protocol from Mac OS X.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 03, 2002 Updated: October 08, 2002
Affected
This information will also be published at http://www.checkpoint.com/techsupport/alerts. Check Point Statement on use of IKE Aggressive Mode A document has recently been published alleging vulnerabilities in the Check Point VPN-1/FireWall-1 product, involving the use of SecuRemote/SecureClient and IKE Aggressive mode. Check Point does not recommend the use of IKE Aggressive Mode, because of many well-known limitations in the protocol, and the Check Point products offer much more secure alternatives. In the vulnerability claim document, two issues were presented: 1) usernames are passed in cleartext using IKE Aggressive Mode 2) usernames are susceptible to brute-force guessing when using IKE Aggressive Mode The first item is merely an accurate description of the IKE protocol. Check Point has no bug or vulnerability, but has correctly implemented the IKE standard for Aggressive Mode. The passing of usernames in cleartext is common to any vendors of IKE products who support Aggressive Mode. The claim of a vulnerability is incorrect. Because of such well-known weaknesses in the IKE Aggressive Mode standard, Check Point authored and published an extension called Hybrid Mode which allows the secure use of all supported authentication schemes (e.g., RADIUS or TACACS) without sending usernames in cleartext. This extension has been incorporated in the product since the 4.1 SP1 release (February 2000), with hybrid mode recommended over Aggressive Mode for enhanced security. The second item exists only in VPN-1/FireWall-1 v4.1 modules which are still configured to support SecuRemote/SecureClient connections using IKE Aggressive Mode, despite the availability of more secure options in the product. Note, again, that the guessable usernames in this scenario are, by design of the IKE protocol, sent in cleartext. By default, Aggressive Mode is not enabled in NG. In 4.1, the recommended configuration is to disable Aggressive Mode and use Hybrid Mode instead (which involves no change to the user experience). Scott Walker Register FireWall-1 Product Manager Check Point Software Technologies, Inc. ph: 561.989.5418 fax: 561.997.9392
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: October 08, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: October 08, 2002
Not Affected
F5 products do not include IPSEC or IKE, and are therefore not affected by this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: October 17, 2002
Not Affected
FreeBSD does not ship an IKE daemon by default and therefore is not vulnerable. The KAME IKE daemon is available via the ports collection, see KAME's statement for information.
The vendor has not provided us with any further information regarding this vulnerability.
KAME Project Information for VU#886601 is located at http://www.kb.cert.org/vuls/id/JPLA-5EQRD2.
Notified: September 17, 2002 Updated: September 18, 2002
Not Affected
Fujitsu's UXP/V operating system does not support the IKE protocol.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: October 02, 2002
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: October 08, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 24, 2002 Updated: October 15, 2002
Affected
Though it is true that, with aggressive mode, identification data will be transmitted in clear, identification data can be anything - it is just a string. It doesn't necessarily reflect any of user accounts on a system. For our implementation, the identification data is just a string, and has no relationship whatsoever with UNIX accounts or other sensitive data. Also, the shared secret used for shared secret authentication is totally separate from UNIX passwords. (of course, if a user chooses to configure identification string/shared secret to be equal to UNIX account name/password, it can be done) So the severity really depends on how a user configures our program.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 30, 2002
Not Affected
Microsoft products are not affected by this issue.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 20, 2002
Not Affected
We do not currently support an implementation of the IKE protocol. We may support such features in the future... at that time we will be sure to pay attention to VU#886601 and any other advisories for IKE.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: October 08, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: October 17, 2002
Affected
See KAME's statement, as NetBSD uses racoon IKE daemon from KAME.
The vendor has not provided us with any further information regarding this vulnerability.
KAME Project Information for VU#886601 is located at http://www.kb.cert.org/vuls/id/JPLA-5EQRD2.
Notified: September 17, 2002 Updated: September 20, 2002
Not Affected
NetApp products are not vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 20, 2002
Not Affected
The Solaris in.iked daemon for Internet Key Exchange (IKE) [new to Solaris 9] and the SunScreen 3.2 ss_iked daemon for Internet Key Exchange (IKE) are not vulnerable to the issues described in this report. Both IKE daemons do not implement aggressive mode and therefore the vulnerabilities described in this report do not affect the Sun IKE daemons, in.iked and ss_iked, both daemons do not send username information in the clear.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 20, 2002
Not Affected
FreeS/WAN does not support aggressive mode and is therefore not vulnerable to the attack you are describing. We do not ship any other IKE implemenatations than FreeS/WAN and we do not plan any updates based on VU#886601.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: September 18, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: September 17, 2002 Updated: April 04, 2003
Not Affected
A response to this vulnerability is available from our web site: http://www.xerox.com/security.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.