Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw Found in VPN Crypto Security

Posted by Zonk on from the dire-straights dept.

peeon writes "CNET reports the British National Infrastructure Security Coordination Centre has discovered a flaw in IPSEC protocol. From the article: 'The flaw, which the NISCC rates as "high" risk, makes it possible for an attacker to intercept IP packets traveling between two IPsec devices. They could then modify the encapsulation security payload--a subprotocol that encrypts the data being transported.'"

4 of 106 comments (clear)

  1. Hype Warning by danielrm26 · · Score: 5, Informative

    It's important to realize that you're only vulnerable to this issue if you're *not* doing integrity checking via IPSEC. Most major VPN infrastructures I run across use ESP with both confidentiality *and* integrity functionality enabled (some use AH as well). If that's the case for network x, then network x has nothing to fear from this.

    Always read vulnerability details; people love to sensationalize stuff like this to the extreme.

    --
    dmiessler.com -- grep understanding knowledge
  2. Nonsense by Cally · · Score: 5, Informative

    This is a misleading writeup. The problem only shows up in certain configurations and is easily worked around. From TFA: Solution - - -------- Any of the following methods can be used to rectify this issue: 1. Configure ESP to use both confidentiality and integrity protection. This is the recommended solution. 2. Use the AH protocol alongside ESP to provide integrity protection. However, this must be done carefully: for example, the configuration where AH in transport mode is applied end-to-end and tunnelled inside ESP is still vulnerable. 3. Remove the error reporting by restricting the generation of ICMP messages or by filtering these messages at a firewall or security gateway.

    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  3. Re:Old news by norfolkboy · · Score: 5, Insightful

    "old news for nerds"

    Slashdot is only as up-to-date as you make it. AFAIK the editorial team don't go looking for articles, they wait for YOU the reader to submit them.

    If you want current news, you should participate in providing it.

  4. Slashdot provides critical security advisory! by ramam · · Score: 5, Funny

    If you hand your credit card to the first person who walks past you when you're done eating, it may not be your waiter!