[VPN] Re: Cisco VPN client .pcf file security hole

Spruell, Darren-Perot Darren.Spruell at chw.edu
Tue Nov 8 16:21:07 EST 2005

From: Basim Jaber [mailto:bjaber at ipass.com]
> The password is encrypted in the PCF file.
> There are two fields:
> 	UserPassword=
> 	enc_UserPassword=
> If you embed a clear text password in the "UserPassword=" 
> field, as soon
> as you launch the VPN Client for the first time, it will 
> clear out that
> field, encrypt the password, and put the encrypted string in the
> "enc_UserPassword_" field.  If you afre saying that you can 
> decrypt that
> encryption, then this is something that you'll need to contact Cisco
> about immediately.    You should never embed a user's password in the
> clear in the PCF file without next launching the client to encrypt it.

My stance is a little more paranoid in this regard. The .pcf file is
generally trivially easy to get access to on the hard drive. Based on this,
it is unsafe practice to store the password, even in "encrypted" format, in
this file. A user that can access the hash can then take their sweet time
running an offline attack against it and discover the password.

To put it in perspective,  this is similar to the UNIX password file and the
reason that the shadow file came about. Ancient UNIX systems password file
was exposed to system users and subsequently users were able to run attacks
and crack the passwords encrypted in the file. 

Best practice (and something I know that is enforceable on the vpn3000
series) is to block the ability to locally store the password. I don't know
what capabilities the pix has for this but its better to not store even the
hash of the password.


More information about the VPN mailing list