Vulnerability title: Remote SSL VPN Endpoint Identity Not Verified In Viprinet Multichannel VPN Router 300
CVE: CVE-2014-9754, CVE-2014-9755
Product: Multichannel VPN Router 300
Affected version: 2013070830/2013080900
Fixed version: 2014013131/2014020702
Reported by: Tim Brown
In order for the hardware VPN client on the affected device to establish a VPN channel it connects to the remote VPN endpoint and initiates an SSL connection using TLSv1.1. It then initiates the following exchange (protocol version 2):
client> VERSION 3
client> VERSION 2
server> +OK Protocol version 2 chosen
client> TUNNEL test
server> +OK Tunnel chosen
client> PASS test
server> +OK You are now authenticated
client> CHANNEL test
server> +OK Channel selected
The hardware VPN client does not validate the remote VPN endpoint identity (through the checking of the endpoint?s SSL key) before initiating the exchange.
In this example, we perform a downgrade attack from protocol version 3 to protocol version 2, however as noted in the impact, version 3 of the protocol is similarly affected.
Note: MITRE have assigned CVE-2014-9754 to reference the missing certificate validation and CVE-2014-9755 to reference the protocol downgrade attack.
Further details at: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-9754-cve-2014-9755/
Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.