When a VPN 5000 series concentrator is configured to use a Remote Authentication Dial In User Service (RADIUS) server to authenticate client connections and the challenge type chosen is Password Authentication Protocol (PAP) or Challenge (a hybrid of PAP), the validation retry request sent to the RADIUS server when validation fails the first time does not have the user password field encrypted and so the password is sent as clear text. A VPN 5000 series concentrator configured to use Challenge-Handshake Authentication Protocol (CHAP) to authenticate is not affected by this vulnerability. This vulnerability is documented as Cisco bug ID CSCdx82483. There are workarounds available to mitigate the affects of this vulnerability. This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020807-vpn5k-radius-pap.
When a VPN 5000 series concentrator is configured to use a Remote Authentication Dial In User Service (RADIUS) server to authenticate client connections and the challenge type chosen is Password Authentication Protocol (PAP) or Challenge (a hybrid of PAP), the validation retry request sent to the RADIUS server when validation fails the first time does not have the user password field encrypted and so the password is sent as clear text. A VPN 5000 series concentrator configured to use Challenge-Handshake Authentication Protocol (CHAP) to authenticate is not affected by this vulnerability.
This vulnerability is documented as Cisco bug ID CSCdx82483. There are workarounds available to mitigate the affects of this vulnerability.
This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020807-vpn5k-radius-pap.
This section provides details on affected products.
All Cisco VPN 5000 series concentrator hardware running software release 6.0.21.0002 (and earlier) and 5.2.23.0003 (and earlier) are affected by this vulnerability. This series includes models 5001, 5002, and 5008.
The older IntraPort series concentrator hardware are also affected by this vulnerability. This series includes models IntraPort 2, IntraPort 2+, IntraPort Enterprise-2 and Enterprise-8, IntraPort Carrier-2, and Carrier-8.
The VPN 3000 series concentrator hardware is not affected.
To determine your software revision, check the revision via the command line interface using the show version command.
No other Cisco products are currently known to be affected by these vulnerabilities.
Cisco VPN 5000 series concentrator hardware running software release 6.0.21.0002 (and earlier) and 5.2.23.0003 (and earlier), accepting clients using PAP authentication, aggressive mode (AM), or hybrid IKE Extended Authentication (XAUTH) mode, and validating against a RADIUS server, are affected by this vulnerability.
The VPN 5000 series concentrator supports three (3) RADIUS communication types. The [ RADIUS ] section keyword ChallengeType can be set to either CHAP, PAP, or Challenge. Challenge is a proprietary type of PAP used for Axent Defender authentication.
In case PAP or Challenge is configured, the remote device sends an authentication request to the VPN 5000 series concentrator containing its name and password. The VPN 5000 series concentrator uses either its internal database or a RADIUS server to validate the request and returns an authentication success or failure packet.
In the event that a RADIUS server is being used, the Access-Request is sent to the RADIUS server and the user password is encrypted as specified by the RFC. If the Access-Accept packet is not returned in a specific time, due to network or configuration problems, the concentrator sends out a retry packet but the user password is sent as clear text in this retry packet.
This vulnerability is documented as Cisco bug ID CSCdx82483, which requires a CCO account to view and can be viewed after 2002 August 8 at 1500 UTC.
One workaround is to only use CHAP for authentication by setting ChallengeType = CHAP in the [ RADIUS ] section.
If you have to use PAP for authentication you can set the PrimRetries keyword to a value of 1 in the Radius section of the configuration. This would disable any retry attempts. Also, if a second (backup) RADIUS server is defined with SecAddress, it must be removed as the first attempt to a secondary RADIUS server will have the password in the clear.
For a complete fix please upgrade to a fixed software version of code.
This vulnerability has been fixed in software release 6.0.21.0003 (and later) and 5.2.23.0004 (and later).
The procedure to upgrade to the fixed software version is detailed at http://www.cisco.com/univercd/cc/td/doc/product/aggr/vpn5000/5000sw/conce60x/5000cfg/swinst.htm.
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was reported to PSIRT by a customer.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.0 |
2000-August-07 |
Initial public release. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.