CVE-2002-1623

high

Description

The design of the Internet Key Exchange (IKE) protocol, when using Aggressive Mode for shared secret authentication, does not encrypt initiator or responder identities during negotiation, which may allow remote attackers to determine valid usernames by (1) monitoring responses before the password is supplied or (2) sniffing, as originally reported for FireWall-1 SecuRemote.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/10034

http://www.securityfocus.com/bid/5607

http://www.nta-monitor.com/news/checkpoint.htm

http://www.kb.cert.org/vuls/id/886601

http://www.checkpoint.com/techsupport/alerts/ike.html

http://marc.info/?l=bugtraq&m=103176164729351&w=2

http://marc.info/?l=bugtraq&m=103124812629621&w=2

http://lists.grok.org.uk/pipermail/full-disclosure/2002-September/001223.html

Details

Source: Mitre, NVD

Published: 2002-12-31

Updated: 2017-07-11

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High