Vendor of Product: TRENDnet

Affected Product and Version: TEW-WLC100P v2.03b03

Description: In the configuration file of racoon in the TRENDnet TEW-WLC100P 2.03b03, the first item of exchage_mode property is set to aggressive. Aggressive mode in IKE Phase 1 exposes identity information in plaintext, is vulnerable to offline dictionary attacks, and lacks flexibility in negotiating security parameters.

Detail:

In the TEW-WLC100P firmware, the partial content of /etc/racoon.conf is as follows.

remote ::1 [8000]
{
	exchange_mode aggressive,main;
	doi ipsec_doi;
	situation identity_only;
	my_identifier user_fqdn "sakane@kame.net";
	peers_identifier user_fqdn "sakane@kame.net";
	nonce_size 16;
	lifetime time 1 min;
	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

The official documentation of racoon (https://manpages.ubuntu.com/manpages/trusty/man5/racoon.conf.5.html) states the following requirements.

SECURITY CONSIDERATIONS
     The use of IKE phase 1 aggressive mode is not recommended, as described in
     <http://www.kb.cert.org/vuls/id/886601>.

Clearly, there is a misconfiguration vulnerability here. Aggressive mode in IKE Phase 1 exposes identity information in plaintext, is vulnerable to offline dictionary attacks, and lacks flexibility in negotiating security parameters.