On 4/30/15, Melchior Limacher <[email protected]> wrote: > Hello > > > I was reading about "ike aggressive mode with pre shared key" > (CVE-2002-1623). > > As described by cisco > (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_security_notice09186a008016b57f.html), > this is still an issue > "When responding to IPSec session initialization, Cisco IOS(r) software > may use Aggressive Mode even if it has not been explicitly configured > to do so. Cisco IOS software initially tries to negotiate using Main > Mode but, failing that, resorts to Aggressive Mode." > > Are there known downgrade attacks? Counter-Measures?
crypto isakmp aggressive-mode disable should be the counter-measure. http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-c4.html#wp7822516900 To block all Internet Security Association and Key Management Protocol (ISAKMP) aggressive mode requests to and from a device, use the crypto isakmp aggressive-mode disable command in global configuration mode. Regards, Lee _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
