|
|
|
|
| |
The VPN products by VPNet Technologies suffer from the following vulnerabilities:
1. Source routing flaw in VSU allows unauthenticated connections to a target host on a protected VPN.
2. Sensitive information is transferred in clear text.
3. A flaw in NOS bridging code causes VSU to pass spoofed private address packets from its public interface to the private network. |
| |
Credit:
The information has been provided by Fate Research Labs.
|
| |
Vulnerable systems:
- VSU-100
- VSU-2000
- VSU-5000
- VSU-7500
Versions of the VPNRemote Software < = 3.0.20
Source routing flaw - Remote Attack:
By sending source-routed packets to the target VSU, it is possible to force the VSU to forward unauthorized traffic from the public interface on the VSU to any host on the protected network.
This is done without exchanging keys, and without providing a username/password or any other authentication. This is due to a design-flaw in the VSU NOS where the TCP stack accepts and forwards source-routed packets.
Source routing flaw - Local Attack:
By adding an IP alias to the NIC card of the source host (an IP belonging to the same segment of the private network on the VSU), it is possible to bridge sessions through the VSU to a host on the private network.
This attack is possible due to a flaw in the bridging code for the VSU's NOS.
1. Add an IP alias to the NIC of the SOURCE HOST, e.g. 192.168.0.5
2. Add the necessary routes:
# route add -net 192.168.0.0/16 gw 192.168.0.5
3. Check connectivity:
# ping 192.168.0.3
PING 192.168.0.3 (192.168.0.3) from 192.168.0.5 : 56(84) bytes of data.
64 bytes from 192.168.0.3: icmp_seq=0 ttl=255 time=0.7 ms
64 bytes from 192.168.0.3: icmp_seq=1 ttl=255 time=0.6 ms
64 bytes from 192.168.0.3: icmp_seq=2 ttl=255 time=0.6 ms
--- 192.168.0.3 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.6/0.6/0.7 ms
Response sent in clear text:
VPNet has a VPN client called VPNRemote, which uses SSL encryption to negotiate connections with the VSU. However, the VSU responds back in clear text containing the VSU Certificate name, as well as the company address and location. This Certificate name is used prior to connecting to the VSU and required before starting the authentication process. Having this information enables attackers to start a brute force session against the VSU.
SNMP version 1.0 security problem:
The VPNet devices utilize SNMP ver.1. Since it's inception, problems in clear text and numerous other problems associated with ver.1 have caused its developers to create version 2 and now 3. Because of the inherent security problems with ver.1 of SNMP, it is advised that administrators disable it where possible until VPNet upgrades its NOS to support version 2 or 3.
By brute forcing the community string on the VSU's (default set to PUBLIC), it is possible to utilize the read-only information from SNMP to retrieve the private IP network information of the target VSU. This is the preliminary information needed in the source-routed attack on the VSU. Such SNMP information will provide IP information of the protected segment in the VPN.
|
|
|
|
|
|
|
|
|
|
