Vendor of Product: TRENDnet
Affected Product and Version: TEW-WLC100P v2.03b03
Description:
In the configuration file of racoon
in the TRENDnet TEW-WLC100P 2.03b03, the first item of exchage_mode
property is set to aggressive. Aggressive mode in IKE Phase 1 exposes identity information in plaintext, is vulnerable to offline dictionary attacks, and lacks flexibility in negotiating security parameters.
Detail:
In the TEW-WLC100P
firmware, the partial content of /etc/racoon.conf
is as follows.
remote ::1 [8000]
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier user_fqdn "sakane@kame.net";
peers_identifier user_fqdn "sakane@kame.net";
nonce_size 16;
lifetime time 1 min;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
The official documentation of racoon (https://manpages.ubuntu.com/manpages/trusty/man5/racoon.conf.5.html) states the following requirements.
SECURITY CONSIDERATIONS
The use of IKE phase 1 aggressive mode is not recommended, as described in
<http://www.kb.cert.org/vuls/id/886601>.
Clearly, there is a misconfiguration vulnerability here. Aggressive mode in IKE Phase 1 exposes identity information in plaintext, is vulnerable to offline dictionary attacks, and lacks flexibility in negotiating security parameters.