CVE-2002-1623 Information
Description
The design of the Internet Key Exchange (IKE) protocol when using Aggressive Mode for shared secret authentication does not encrypt initiator or responder identities during negotiation which may allow remote attackers to determine valid usernames by (1) monitoring responses before the password is supplied or (2) sniffing as originally reported for FireWall-1 SecuRemote.
Reference
http://lists.grok.org.uk/pipermail/full-disclosure/2002-September/001223.html http://marc.info/?l=bugtraq&m=103124812629621&w=2 http://marc.info/?l=bugtraq&m=103176164729351&w=2 http://www.checkpoint.com/techsupport/alerts/ike.html http://www.kb.cert.org/vuls/id/886601 http://www.nta-monitor.com/news/checkpoint.htm http://www.securiteam.com/securitynews/5TP040U8AW.html http://www.securityfocus.com/archive/1/290202 http://www.securityfocus.com/bid/5607 https://exchange.xforce.ibmcloud.com/vulnerabilities/10034
Share on: