System Fails PCI because of Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key
My system keeps failing my PCI vendor scans because of the below. I have been looking how to fix this but cant find a solution.
Synopsis
The remote IKEv1 service supports Aggressive Mode with Pre-Shared key.
Description
The remote Internet Key Exchange (IKE) version 1 service seems to support Aggressive Mode with Pre-Shared key (PSK) authentication. Such a configuration could allow an attacker to capture and crack the PSK of a VPN gateway and gain unauthorized access to private networks.
See also
[url=http://www.vpnc.org/ietf-ipsec/99.ipsec/msg01451.html]Weak authentication in Xauth and IKE
[url=http://www.securityfocus.com/bid/7423]IKE Aggressive Mode Shared Secret Hash Leakage Weakness
Solution
- Disable Aggressive Mode if supported.
- Do not use Pre-Shared key for authentication if it's possible.
- If using Pre-Shared key cannot be avoided, use very strong keys.
- If possible, do not allow VPN connections from any IP addresses.
Note that this plugin does not run over IPv6.
Risk factor
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.5
(CVSS2#E:F/RL:W/RC:C)
Public Exploit Available : true
CVE
CVE-2002-1623
BID
7423
Other reference
CERT:886601, OSVDB:3820
-
Hello :) No aspect of cPanel should be seen as a VPN. What port number are they referencing for this failure? It's likely a false positive if it's a cPanel port. Thank you. 0 -
]Hello :) No aspect of cPanel should be seen as a VPN. What port number are they referencing for this failure? It's likely a false positive if it's a cPanel port. Thank you.
Yeah, I'd lean toward false positive on first glance too. The CVE from 2002 is a dead giveaway that something is funky.0
Please sign in to leave a comment.
Comments
2 comments