BorderManager 3.8 generates predictable ISAKMP cookies

  • 3003139
  • 10-Nov-2006
  • 26-Apr-2012

Environment

BorderManager 3.8 Support Pack 4 applied
Bm38sp4_ir5.exe applied
VPN server configured
VPN client to site enabled
bm3xvpn12.exe applied
Netware 6.5 SP5 applied

Situation

A vpn test tool exists at http://www.nta-monitor.com/tools/ike-scan/. One of the serieMsts performed using this tools is used to uncover IKE cookie issues. During one such VPN test, a discovery that the ISAKMP cookies generated by Novell Bordermanager are predictable. For a given source IP and port, that the responder cookie that Bordermanager generates is the same from one request to the next. The cookie remains the same for approximately one day.

It is important that ISAKMP cookie values are both unique and non-predictable. The BorderManager implementation failed with both of these requirements. The fact that the cookies are predictable means that the IPsec implementation is likely to be vulnerable to a number of issues, including DoS attacks and replay attacks.

Resolution

Apply bmvpnsec1.exe, which includes the latest IKE.NLM.It is important that ISAKMP cookie values are both unique and non-predictable. The BorderManager IKE implementation now succeeds with both of these requirements. This will be included in BorderManager 3.8 SP5.

Status

Security Alert

Additional Information

Below is an example using Bordermanager 3.8 on Netware 6.5.  Here we  run "ike-scan" twice using an acceptable transform.  We see that the responder cookie (CKY-R) in the ISAKMP header is the same for both responses:



$ ike-scan --trans=5,2,3,2 -M 172.16.3.27

Starting ike-scan 1.8.4 with 1 hosts

(http://www.nta-monitor.com/tools/ike-scan/)

172.16.3.27 Main Mode Handshake returned

HDR=(CKY-R=56a0aa5e1b5edb64)

SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024

LifeType=Seconds LifeDuration(4)=0x00007080)

VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)



Ending ike-scan 1.8.4: 1 hosts scanned in 0.215 seconds (4.66 hosts/sec). 1 returned handshake; 0 returned notify



$ ike-scan --trans=5,2,3,2 -M 172.16.3.27

Starting ike-scan 1.8.4 with 1 hosts

(http://www.nta-monitor.com/tools/ike-scan/)

172.16.3.27 Main Mode Handshake returned

HDR=(CKY-R=56a0aa5e1b5edb64)

SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024

LifeType=Seconds LifeDuration(4)=0x00007080)

VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)



Ending ike-scan 1.8.4: 1 hosts scanned in 0.054 seconds (18.37 hosts/sec). 1 returned handshake; 0 returned notify



Below is another example. Here we used the ike-scan tool to send a total of 10,000 Main Mode IKE packets at a rate of one per

minute. The response packets from the Bordermanager server include the time when they are received.



The command line used to reproduce the problem was:



perl -e 'print "172.16.3.27\n" x 10000' | ike-scan --timestamp -r 1 -f - -i 60s --trans=5,2,3,2



A list of the different responder cookies, and the times that they were received, is given below. In this list, the first column shows the time when the packet was received, and the second column shows

the responder cookie. Elipses (...) show where multiple lines with identical cookies have been removed for brevity. Each ellipse represents about 1400 omitted lines.



13:25:06.563218 fcb5babf3454e319

13:26:06.488920 fcb5babf3454e319

...

12:55:06.532470 fcb5babf3454e319

12:56:06.466293 fcb5babf3454e319

12:57:06.445624 70922d04c056bc12

12:58:06.454968 70922d04c056bc12

...

12:39:06.435416 70922d04c056bc12

12:40:06.488223 70922d04c056bc12

12:41:06.568345 534129c8eda39e27

12:42:06.582008 534129c8eda39e27

...

12:23:06.596316 534129c8eda39e27

12:24:06.653245 534129c8eda39e27

12:25:06.580139 2d7c639c57d6d896

12:26:06.421715 2d7c639c57d6d896

...

12:07:06.504430 2d7c639c57d6d896

12:08:06.395834 2d7c639c57d6d896

12:09:06.400113 38338fd7855747ab

12:10:06.524477 38338fd7855747ab

...

11:51:06.419117 38338fd7855747ab

11:52:06.556816 38338fd7855747ab

11:53:06.722715 3f430f2c715908c3

11:54:06.627612 3f430f2c715908c3

...

11:35:06.606475 3f430f2c715908c3

11:36:06.593664 3f430f2c715908c3

11:37:06.528123 4ab09245899ac58e

11:38:06.449059 4ab09245899ac58e

...

11:19:06.576838 4ab09245899ac58e

11:20:06.485380 4ab09245899ac58e

11:21:06.438597 e42cdef7cb8850bb

11:22:06.486008 e42cdef7cb8850bb