Craig,

The password is encrypted in the PCF file.

There are two fields:

UserPassword=
enc_UserPassword=

If you embed a clear text password in the "UserPassword=" field, as soon
as you launch the VPN Client for the first time, it will clear out that
field, encrypt the password, and put the encrypted string in the
"enc_UserPassword_" field. If you afre saying that you can decrypt that
encryption, then this is something that you'll need to contact Cisco
about immediately. You should never embed a user's password in the
clear in the PCF file without next launching the client to encrypt it.

--Basim

Basim S. Jaber
Senior Systems Engineer
iPass Inc.
Field Sales - North America

+1 650-232-4311
+1 650-232-0228 fx
iPass Inc.
3800 Bridge Parkway
Redwood Shores, CA 94065
www.ipass.com
________________________________

The information in this e-mail is confidential and intended solely for
the addressee. Access to this email by anyone else is unauthorized. If
you are not the intended recipient, any disclosure, copying distribution
or any action taken or omitted to be taken in reliance on it, is
prohibited. E-mail messages are not necessarily secure. iPass Inc. does
not accept responsibility for changes made to this message after it was
sent.


-----Original Message-----
From: vpn-bounces+bjaber=ipass.com@lists.shmoo.com
[mailto:vpn-bounces+bjaber=ipass.com@lists.shmoo.com] On Behalf Of Craig
Rothman
Sent: Tuesday, November 08, 2005 10:14 AM
To: vpn@lists.shmoo.com
Subject: [VPN] Cisco VPN client .pcf file security hole

Hello,

I have a security problem with a .pcf file that Cisco VPN client uses.
Being this file is easy to hack to get the password for the outside
network, is there a way to mask it so that a decoder cannot reveal the
password. Our vpn is thru a PIX515E firewall and if there is a way to
set passwords for individual users. Any feedback will be appredciated.

Thanks

Craig Rothman
IT/Network Administrator


_______________________________________________
VPN mailing list
VPN@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn


_______________________________________________
VPN mailing list
VPN@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn