cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1164
Views
0
Helpful
0
Replies

Group Name Enumeration

vleisie47283
Level 1
Level 1

I've recently reviewed a Cisco VPN implementation and came across three issues that I'm not sure how to fix.

 

Some background information:

The VPN has two tunnel groups configured, one for trusted devices and one for non-company owned devices. Trusted devices are identified through a client-certificate.

 

Issue 1. When browsing to the VPN SSL gateway from a non-company device, it correctly provides only the non-trusted group in the drop-down list. However, when viewing the HTML response, the <div><select id="group_list" section leaks the tunnel-group name for the trusted group as well.
Issue 2. The AnyConnect client can be proxied, and if the tunnel-group parameter is changed to the trusted group name, the VPN connection is established using the trusted group profile (from an untrusted device).
Issue 3. The isakmp service on UDP port 500 appears to allow group name enumeration. When running the following command: ike-scan -M -A --id=<valid group name> <gateway url>, no handshake is returned. However, when running it with an invalid group name, it returns a handshake. This would suggest that aggressive mode is disabled, however, it still allows for group enumeration due to the difference in response.

How could I go about fixing the enumeration issues on both isakmp as well as in the HTML response? Also, what is the best way to prevent an untrusted device from connecting to the trusted tunnel group? Is the tunnel group name considered the only "secret" that a device needs to know, or can the AnyConnect client be required to send the client certificate as well?

0 Replies 0