5 June 1998
Date: Thu, 4 Jun 1998 12:31:05 -0700 (PDT) From: CIAC Mail User <ciac@tholia.llnl.gov> To: ciac-bulletin@tholia.llnl.gov Subject: CIAC Bulletin I-056: Cisco PIX Private Link Key Vulnerability [ For Public Release ] -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Cisco PIX Private Link Key Processing and Cryptography Vulnerability June 4, 1998 14:00 GMT Number I-056 ______________________________________________________________________________ PROBLEM: Cisco has identified a vulnerability in the PIX Private Link that can be installed in Cisco PIX firewalls. An error in parsing of configuration file commands reduces the effective key length. PLATFORM: All PIX Private Link software through version 4.1.6. DAMAGE: Detailed knowledge of the key-parsing error will increase the attackers ability to crack the encryption by a factor of 256. SOLUTION: Upgrade to version 4.2.1, scheduled for release in late June 1998. There is no workaround available. ______________________________________________________________________________ VULNERABILITY Cisco has had no reports of malicious exploitation of this ASSESSMENT: vulnerability. Cisco knows of no public announcement of this vulnerability before the date of this notice. ______________________________________________________________________________ [ Start Cisco Advisory ] Field Notice: PIX Private Link Key Processing and Cryptography Issues ======================================================= June 3, 1998 Summary ======= PIX Private Link is an optional feature that can be installed in Cisco PIX firewalls. PIX Private Link creates IP virtual private networks over untrusted networks, such as the Internet, using tunnels encrypted with Data Encryption Standard (DES) in ECB ("electronic codebook") mode. An error in parsing of configuration file commands reduces the effective key length for the PIX Private Link DES encryption to 48 bits from the nominal 56 bits. Who Is Affected =============== All users of the PIX Private Link encryption product with PIX software versions earlier than the date of this notice are affected. This includes all PIX Private Link software through version 4.1.6. Impact ====== If attackers know the details of the key-parsing error in the PIX Private Link software, they will know 8 bits of the key ahead of time. This reduces the effective key length from the attacker's point of view from 56 to 48 bits. This reduction of the effective key length reduces the work involved in a brute-force attack on the encryption by a factor of 256. That is, knowledgeable attackers can, on the average, find the right key 256 times faster than they would be able to find it with a true 56-bit key. In addition to this key-length issue, some customers have expressed concern over the use of DES ECB mode for PIX Private Link encryption. Although the use of ECB mode is intentional, ECB is not generally considered to be the best mode in which to employ DES, because it tends to simplify certain forms of cryptanalysis and may permit certain replay attacks. Technical details of the relative merits of various encryption modes are beyond the scope of this document. Interested readers should refer to a cryptography text for more information, such as Bruce Schneier's Applied Cryptography. Details ======= This vulnerability has been assigned Cisco bug ID CSCdk11848. Affected Software Versions - ------------------------- This vulnerability affects all released versions of PIX Private Link software with version numbers up to and including 4.1.6, and all beta/interim software released earlier than the date of this notice. Planned Software Fixes - --------------------- The first regular release containing a fix for this problem will be version 4.2.1, which is tentatively scheduled for release in late June 1998. This schedule is subject to change. Fixes for the 4.1 software release have not yet been scheduled. This fix extends the effective DES key length to a full 56 bits; ECB mode is still used. Customers who need to upgrade immediately may contact Cisco's Technical Assistance Center (TAC) to obtain interim software. Interim software has not been subjected to full testing; it has a greater chance of containing serious bugs than would regular released software. Interim releases are available only by special request from the Cisco TAC, not via the regular download channels. Cisco advises customers to install interim releases only if absolutely necessary. Customers who choose to install interim releases should plan to upgrade to the regular released software when it becomes available. When the fix is installed, it will be necessary to upgrade both ends of each Private Link tunnel at the same time. This is because key the modified key parsing algorithm will lead old and new versions to derive different encryption keys from the same configuration file. Software upgrades to correct this key-length problem will be offered free of charge to all PIX Private Link customers, regardless of their service contract status. Customers under contract may obtain upgrades through their usual procedures. Customers not under contract should call the Cisco TAC. Contact information for the TAC is in the "Cisco Security Procedures" section at the end of this message, and is available on Cisco's Worldwide Web site at http://www.cisco.com/. The use of ECB mode was a deliberate design decision for the PIX Private Link product, and will not be changed. However, future IPSEC/IKE products for the PIX platforms will use other encryption modes. Workarounds - ---------- There is no configuration workaround. Exploitation and Public Announcements ===================================== Cisco has had no reports of malicious exploitation of this vulnerability. Cisco knows of no public announcements of this vulnerability before the date of this notice. This vulnerability was discovered by an engineering analysis conducted by a Cisco customer at a security incident response organization. Status of This Notice ===================== This is a final field notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. Distribution - ----------- This notice will be posted on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/770/pixkey-pub.shtml. In addition to Worldwide Web posting, the initial version of this notice is being sent to the following e-mail and Usenet news recipients: * cust-security-announce@cisco.com * firewalls@lists.gnac.net * comp.security.firewalls * bugtraq@netspace.org * first-teams@first.org (includes CERT/CC) * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History - --------------- Revision 1.0, Initial released version 08:00 AM US/Pacific, 03-JUN-1998 Cisco Security Procedures ========================= Please report security issues with Cisco products, and/or sensitive security intrusion emergencies involving Cisco products, to security-alert@cisco.com. Reports may be encrypted using PGP; public RSA and DSS keys for "security-alert@cisco.com" are on the public PGP keyservers. The alias "security-alert@cisco.com" is used only for reports incoming to Cisco. Mail sent to the list goes only to a very small group of users within Cisco. Neither outside users nor unauthorized Cisco employees may subscribe to "security-alert@cisco.com". Please do not use "security-alert@cisco.com" for configuration questions, for security intrusions that you do not consider to be sensitive emergencies, or for general, non-security-related support requests. We do not have the capacity to handle such requests through this channel, and will refer them to the TAC, delaying response to your questions. We advise contacting the TAC directly with these requests. TAC contact numbers are as follows: * +1 800 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com All formal public security notices generated by Cisco are sent to the public mailing list "cust-security-announce@cisco.com". For information on subscribing to this mailing list, send a message containing the single line "info cust-security-announce" to "majordomo@cisco.com". An analogous list, "cust-security-discuss@cisco.com" is available for public discussion of the notices and of other Cisco security issues. This notice is copyright 1998 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the notice, provided that redistributed copies are complete and unmodified, including all date and version information. [ End Cisco Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Cisco Systems, Inc. for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 925-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) I-045: SGI IRIX LicenseManager(1M) Vulnerabilities I-046: Open Group xterm and Xaw Library Vulnerabilities I-047: HP-UX OpenMail Vulnerability I-048: SunOS mountd Vulnerability I-049: SunOS ufsrestore Vulnerability I-050: Digital UNIX softlinks - advfs Vulnerability I-051: FreeBSD T/TCP Vulnerability I-052: 3Com(r) CoreBuilder and SuperStack II LAN Vulnerabilities I-053: ISC DHCP Distribution Vulnerability I-054: Cisco Web Cache Control Protocol Router Vulnerability I-055: SGI IRIX Vulnerabilities (NetWare Client, diskperf/diskalign -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNXbNdbnzJzdsy3QZAQH1jAP/UuQ6E20eSoHAG6y27bWkzFBATNMBe7HE ejjKDHJok1a74KbGOheRK3AaCTLfc5ghRIGE0Bh0HsyxLRGwONlOUq5YebbByM0O 0bDvdRp1fnQtD9k95lJYg0GZ9Jy2cdANaXFv3ORFrVzaeldl6RkL8Yf7am+ojbad mjh6LOiIez8= =NMMg -----END PGP SIGNATURE-----