The design of the Internet Key Exchange (IKE) protocol, when using Aggressive Mode for shared secret authentication, does not encrypt initiator or responder identities during negotiation, which may allow remote attackers to determine valid usernames by (1) monitoring responses before the password is supplied or (2) sniffing, as originally reported for FireWall-1 SecuRemote.
IKE Aggressive Mode in various VPN implementations exposes user identities in plaintext during the initial negotiation phase, enabling attackers to harvest valid usernames. This allows for credential harvesting and subsequent attacks like password guessing or brute-force attempts, potentially leading to unauthorized access to sensitive networks. This vulnerability is particularly dangerous because it can be exploited remotely without requiring prior access or authentication.
Step 1: Network Monitoring: The attacker passively monitors network traffic, typically using a packet sniffer like Wireshark, on a network segment where IKE traffic is expected.
Step 2: IKE Aggressive Mode Detection: The attacker identifies IKE traffic using Aggressive Mode. This can be determined by analyzing the IKE packets' payload types and exchange types.
Step 3: Identity Extraction: The attacker extracts the initiator and responder identities (usernames) from the unencrypted payloads within the IKE packets. These payloads are transmitted in plaintext.
Step 4: Credential Harvesting: The attacker compiles a list of valid usernames. This list can then be used for various attacks.
Step 5: Subsequent Attacks: The attacker leverages the harvested usernames to perform credential stuffing, password guessing, or brute-force attacks against the VPN or associated services.
The vulnerability stems from a design flaw in the Internet Key Exchange (IKE) protocol, specifically when using Aggressive Mode for shared secret authentication. In this mode, the initiator and responder identities (typically usernames) are transmitted in the clear during the initial exchange (Phase 1). This lack of encryption allows attackers to passively eavesdrop on the network traffic and capture these usernames. The root cause is the protocol's design choice to prioritize speed and simplicity over security in the initial exchange, failing to encrypt the identity payloads. This allows for trivial information disclosure of usernames, which can then be used in subsequent attacks. The vulnerability is not a specific code flaw, but a protocol-level weakness.