Upstream information

CVE-2002-1623 at MITRE

Description

The design of the Internet Key Exchange (IKE) protocol, when using Aggressive Mode for shared secret authentication, does not encrypt initiator or responder identities during negotiation, which may allow remote attackers to determine valid usernames by (1) monitoring responses before the password is supplied or (2) sniffing, as originally reported for FireWall-1 SecuRemote.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 5
Vector AV:N/AC:L/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None

Note from the SUSE Security Team

This issue happens in IKE aggressive mode, also in current ipsec-tools versions. IKE agressive mode is not recommended to be used.

No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.


SUSE Timeline for this CVE

CVE page created: Fri Jun 28 00:42:46 2013
CVE page last modified: Fri Oct 7 12:45:27 2022