SonicWall IKE pre-shared key length bug and security concern (fwd)

Tina Bird tbird at PRECISION-GUESSWORK.COM
Wed Mar 28 13:48:34 EST 2001


---------- Forwarded message ----------
Date: Tue, 27 Mar 2001 20:34:20 -0000
From: Steven Griffin <sgriffin at BAYSTARCAPITAL.COM>
To: BUGTRAQ at SECURITYFOCUS.COM
Subject: SonicWall IKE pre-shared key length bug and security concern

I have recently found a bug in the latest firmware
(6.0.0.0) of SonicWall's Tele2 and SOHO firewalls.

Product details:
http://www.sonicwall.com/products/tele/details.html
http://www.sonicwall.com/products/soho/details.html

Bug disovery:
I was recently configuring the Tele2 and SOHO
versions of these firewalls in a gateway to gateway
VPN using IPSec with IKE pre-shared keys. The
home office gateway was a Cisco PIX 520 running
the PIX OS 5.2(4).  The Tele2 and SOHO firewalls
were recently upgraded to the 6.0.0.0 firmware.
The IPSec configuration was ESP-3DES ESP-MD5-
HMAC. During my configuration setup I noticed that I
could not configure an IKE pre-shared key longer
than 48 bytes.  Doing so caused the the 2nd phase
IKE negotiation to fail on the PIX.

I contacted the vendor (SonicWall) and reported the
problem.  They have replicated the problem and
confirmed that it is indeed a bug in their firmware.
I asked them for permission to inform BugTraq and
they responded that it was indeed alright to post this
here provided that I inform you that I found the bug
and that to say that they will provide a fix for this
problem as soon as possible.

Security concern:
Obviously the limitation of using only a  48 byte key
as opposed to using a full 128 byte key degrades the
overall security of the firewall.

Workarounds:
Do not use pre-shared keys. Use certificates, your
own or from a third party CA, instead.

If you must use pre-shared keys:
  Use only static gateway addresses if possible.
  Use a different key for each gateway.
  Turn on Perfect Forwared Secrecy.
  Set your key expiration time to a shorter interval.

Configuration information for duplication:
note: IP Addresses have been removed.

PIX 520 with OS 5.2(4) relavant config:
access-list 119 permit ip xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
access-list nonat permit ip xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

sysopt connection permit-ipsec
sysopt ipsec pl-compatible

crypto ipsec transform-set SonicFirewall esp-3des
esp-md5-hmac
crypto map Sonic-map 19 ipsec-isakmp
crypto map Sonic-map 19 match address 119
crypto map Sonic-map 19 set peer xxx.xxx.xxx.xxx
crypto map Sonic-map 19 set transform-set
SonicFirewall
crypto map Sonic-map interface outside

isakmp enable outside
isakmp key <48-byte key here> address
xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx
isakmp identity address
isakmp policy 19 authentication pre-share
isakmp policy 19 encryption 3des
isakmp policy 19 hash md5
isakmp policy 19 group 1
isakmp policy 19 lifetime 28800

SonicWall with firmware 6.0.0.0
Note: sonicwall config is web based so I will post
field names. datatypes in square brackets "[ ]" and
field values after a colon ":"  IP addresses have also
been removed.

Summary Tab:
Enable VPN checkbox: Checked
Disable all VPN Windows Networking (NetBIOS)
broadcast [checkbox]: UnChecked
Enable Fragmented Packet Handling [checkbox]:
Checked

Configuration Tab:
Security Association [drop-down listbox]: SonicToPIX
IPSec Keying Mode [drop-down listbox]: IKE using
pre-shared secret
Name [textbox] SonicToPix
Disable This SA [checkbox]:UnChecked
IPSec Gateway Address [textbox]:xxx.xxx.xxx.xxx
Require XAUTH/RADIUS(only allows VPN clients)
[checkbox]:UnChecked
Enable Windows Networking (NetBIOS) broadcast
[checkbox]:Checked
Enable Perfect Forward Secrecy
[checkbox]:UnChecked
SA Life time (secs) [textbox]:28800
Encryption Method [drop-down listbox]:Strong
Encrypt and Authenticate (ESP 3DES HMAC MD5)
Shared Secret [textbox]:<48-byte key here>
Destination Networks: [sub window]:
	IP Address [textbox]:xxx.xxx.xxx.xxx
	SubnetMask [textbox]:xxx.xxx.xxx.xxx



Disclaimer and closing:
I must say that I am not a security expert and I do not
claim to be one.  My opinions are my own.  Use my
opinions and the information in this posting at your
own risk.  My intention for posting this information is
to inform the BugTraq community about a possible
security concern.

Steven Griffin
sgriffin at baystarcapital.com

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list