[vpn-help] Shrew VPN client usage

arkadiusz.kucharski at accenture.com arkadiusz.kucharski at accenture.com
Mon Sep 16 02:55:10 CDT 2013


Dear Shrew support team,
We are planning to use your software VPN client in our company, but we need to follow up our security procedures. From that reason, I would like to ask for few topics regarding your software. Please take a look at below questions and let us know your comments.
Thank you very much in advance.

3) Please let us know if split tunneling is disabled
4) Please let us know if the Shrew VPN Client is an licensed software. If yes then please provide vendor confirmation mail that below security risk has been mitigated by appropriate security fixes/patches
Risk
1) For the Shrew VPN client the CVE-2010-3361 identified the CVSS score of 6.9
It defines that (1) iked, (2) ikea and (3) ikec scripts in shrew Soft IKE 2.1.5 would place a zero length directory name in the LD_LINRARY_PATH which allows local users to gain privileges via a Trojan Horse shared library in the current working directory
2) For the shrew VPN client OS
weak_phase1_check (on | off);
Tells racoon to act on unencrypted deletion messages for phase 1. This is a small security risk, so the default is off, meaning that racoon will keep on trying to establish a connection even if the user credentials are wrong, for instance.


Pozdrawiam/Best regards
Arkadiusz Kucharski
EMEA Data Network Engineer
NOS - Network Engineering and Deployment
Accenture Services Sp. z o.o.

________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited.

Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.

______________________________________________________________________________________

www.accenture.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130916/1ebeb868/attachment-0001.html>


More information about the vpn-help mailing list