VPN Flaw Allows Denial of Service

← Back to Stories (view on slashdot.org)

VPN Flaw Allows Denial of Service

Posted by ScuttleMonkey on Monday November 14, 2005 @10:12PM from the concrete-bunkers-and-razorwire dept.

An anonymous reader writes "Finnish researchers at the University of Oulu have found a vulnerability in ISAKMP (Internet Security Association and Key Management Protocol) -- the technology used in IPsec virtual private network and firewall products from a range of networking companies, including Cisco and Juniper Networks. Cisco said the security flaw could cause devices to reset over and over, which could cause a temporary denial-of-service attack. It did not mention the possibility of the device being taken over by an intruder, while Juniper said it has been aware of the problem since June, so software issued on or after July 28 provide fixes for the flaw."

64 comments

This seems like a protocol issue by Anonymous Coward · 2005-11-14 22:16 · Score: 3, Insightful

and not an implementation failure. So how exactly are individual vendors patching it without changing the protocol? Or are they making changes in the protocol that would be "invisible" to the outside world?
1. Re:This seems like a protocol issue by JimBowen · 2005-11-14 22:20 · Score: 2, Insightful
  
  I expect it is just a hack which fixes the security hole, while causing the implementation to no longer comply with the standard for the protocol.
  Though one would hope this doesn't cause problems in itself.. :/
2. Re:This seems like a protocol issue by Homology · 2005-11-14 23:26 · Score: 4, Informative
  
  and not an implementation failure. So how exactly are individual vendors patching it without changing the protocol? Or are they making changes in the protocol that would be "invisible" to the outside world?
  The advisory says:
  Multiple ISAKMP implementations behave in anomalous way when they receive and handle ISAKMP Phase 1 packets with invalid and/or abnormal contents. By applying the OUSPG PROTOS ISAKMP Test Suite to a variety of products, several vulnerabilities can be revealed that can have varying effects.
  
  The OpenBSD developers fixed this early 2004 :
  > I just tested our isakmpd(8) implementation against the PROTOS > test suite. No problems were detected. We performed an audit > of isakmpd's IKE parsing code back in early 2004 and made several > fixes (OpenBSD 3.4 timeframe). > > I also ran the PROTOS suite against tcpdump -vvv and saw no > problems. Please also note that both these programs are priv sep'd, so that in the event a bug is found, the impact will be much reduced.
3. Re:This seems like a protocol issue by leto · 2005-11-15 02:27 · Score: 1
  
  Nice to see Openbsd got previous warning, unlike other opensource implementations who got a 0day.......
4. Re:This seems like a protocol issue by xquark · 2005-11-15 09:19 · Score: 1
  
  Actually you are wrong, its an implementation fault and has nothing to do with the protocol
  description. Read the advisory: http://www.uniras.gov.uk/niscc/docs/br-20051114-01 013.html?lang=en
  
  It specifically states implementation of protocol. The whole problem is related to incorrect
  parser engines of SNMP, IKEv1 and ASN.1 et al. type data structures.
  
  Arash Partow
  
  --
  Arash Partow's Philosophy: Be a person who knows what they don't know, and not a person who doesn't know.
5. Re:This seems like a protocol issue by Anonymous Coward · 2005-11-15 14:39 · Score: 1, Insightful
  
  They didn't get any warning. They fixed their IKE implementation years ago because they wanted to.
Original publication by Anonymous Coward · 2005-11-14 22:20 · Score: 3, Informative

http://www.ee.oulu.fi/research/ouspg/protos/testin g/c09/isakmp/index.html

"ABSTRACT

The Internet Security Association and Key Management Protocol (ISAKMP), is designed to establish, negotiate, modify and delete Security Associations. ISAKMP provides a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism. Internet Key Exchange (IKE), a derivate of ISAKMP, is a key protocol in the Internet Security Architecture (IPsec). A subset of IKE Phase 1 negotiation was chosen as the subject protocol for vulnerability assessment through syntax testing and test-suite creation. A survey of the related standards was made. Test-material was prepared and tests were carried out against a sample set of existing implementations. Results were gathered and reported. Some of the implementations available for evaluation failed to perform in a robust manner under the test. Some failures had information security implications, and should be considered as vulnerabilities. Therefore, this robustness test-material should be adopted for evaluation and development of ISAKMP/IKE products."
There is not a lot of info on NISCC site by arivanov · 2005-11-14 22:29 · Score: 5, Insightful

The blurb has nearly no meaningfull information whatsoever. The only meaningfull bit is the recommendation not to use aggressive mode.

Well... We kind'a all know this already. The weaknesses of agressive mode were all over BUGTRAQ more then 2 years ago and if you are still using it you "Get whatever Christmas you deserve".

--
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
1. Re:There is not a lot of info on NISCC site by SiliconEntity · 2005-11-15 05:00 · Score: 1
  
  The blurb has nearly no meaningfull information whatsoever. The only meaningfull bit is the recommendation not to use aggressive mode.
  
  That's not the problem. Read the report, http://www.ee.oulu.fi/research/ouspg/protos/testin g/c09/isakmp/index.html, and look at the table at the bottom. There were just as many failures in main mode (i.e. non-aggressive mode) as in aggressive mode. Disabling aggressive mode is no counter-measure.
  
  And these are implementation failures, not protocol failures. Generally they are the result of insufficient validation of bogus inputs.
Oh Cisco... by emptycorp · 2005-11-14 22:46 · Score: 3, Funny

Gotta love a company that keeps administrators like me with job security :)
Try again. by piranha(jpl) · 2005-11-14 22:46 · Score: 4, Informative

FTFA:

Multiple ISAKMP implementations behave in anomalous way when they receive and handle ISAKMP Phase 1 packets with invalid and/or abnormal contents. By applying the OUSPG PROTOS ISAKMP Test Suite to a variety of products, several vulnerabilities can be revealed that can have varying effects.

That doesn't strike me as a protocol problem.
1. Re:Try again. by Anonymous Coward · 2005-11-14 23:20 · Score: 1, Interesting
  
  True. I also did some work for the PROTOS project and it does not test protocols, but the implementation of protocols.
There does not seem to be any IPsec exploiting by pe1chl · 2005-11-14 23:06 · Score: 4, Interesting

We have been running IPsec on Cisco routers for quite some time.
We have always had an explicit allow list for isakmp packets only for the known peers, and a deny with logging for all other sources.
Over the years, there have been only very few logged packets. No need to tell you how many NETBIOS and other wellknown exploitable service packets have been counted (we don't even log these).

It does not look like IPsec is a popular attack vector. Same for PPTP, by the way.
1. Re:There does not seem to be any IPsec exploiting by Tony+Hoyle · 2005-11-14 23:39 · Score: 1
  
  It's not worth the effort for most.
  
  I get more hits on random ports than known ones (I don't log 137/139/445 either) - I think it's spambots trying to find infected machines.
2. Re:There does not seem to be any IPsec exploiting by graf0z · 2005-11-15 05:12 · Score: 1
  
  We have always had an explicit allow list for isakmp packets only for the known peers
  It's allways a good idea to restrict access to a service to legitimate peers on layer 3. Unfortunatly, this does not work if your peers use unpredictable IPs (VPN-roadwarriors).
  It does look like an attack vector which should bother lots of admins.
  graf0z.
Thanks Jupiner! by jacoplane · 2005-11-14 23:43 · Score: 5, Funny

"Juniper said it has been aware of the problem since June, so software issued on or after July 28 provide fixes for the flaw."

Gee, thanks for letting the rest of the world know too!
1. Re:Thanks Jupiner! by managedcode · 2005-11-15 05:15 · Score: 1
  
  So that means CISCOs Testing Team can be labelled as slackers ?
  eBay Sucks!
Lex Karpela.. by Anonymous Coward · 2005-11-15 00:03 · Score: 0, Flamebait

It's good that they found it now, as the new copyright law will make such research illegal in finland starting next year..
1. Re:Lex Karpela.. by Ceriel+Nosforit · 2005-11-15 01:44 · Score: 1, Funny
  
  But as usual, the average Finn doesn't give a damn about the law. It just becomes yet another matter not to talk loudly about.
  
  --
  All rites reversed 2010
Summary by hal9000(jr) · 2005-11-15 00:08 · Score: 3, Insightful

Feed a server carefully crafted, malformed packets and it may behave in unpredictable ways. We show that several IPSec implementations of IKE V1 don't behave properly.

Not news kids, just development as usual.

Oh, and I like the bit about "possibly executing code." That, I believe, is FUD. Prove that you can execute code.
1. Re:Summary by Anonymous Coward · 2005-11-15 00:53 · Score: 0
  
  Oh, and I like the bit about "possibly executing code." That, I believe, is FUD. Prove that you can execute code.
  
  Prove that you can't.
2. Re:Summary by Slashcrap · 2005-11-15 01:48 · Score: 1
  
  Prove that you can't.
  
  Dear AC,
  
  They are the ones claiming that code execution is possible therefore they are the ones who should provide proof.
  
  Every single vulnerability disclosure says "could result in code execution". It doesn't mean that they have any evidence or can even construct a plausible scenario in which code execution may theoretically result. It's just another box to tick and they tick it because the security is largely full of scaremongering, publicity seeking idiots in search of venture capital.
  
  PS. Have you ever replied to a Usenet post with the words "Me too!"? Just wondering - your writing style makes me curious.
3. Re:Summary by pp · 2005-11-15 02:05 · Score: 1
  
  Typically not. Well, not all buffer overflows make code-execution possible, but with a smart enough exploiter quite a few things can, it's just not as straightforward... For a security researcher writing an exploit doesn't make much sense. The bug is there, the software crashes and should be fixed. Anything beyond that just helps the bad guys and takes lots of precious time.
  
  Mind you, the original page does say
  
  "Each failed test-case represents at minimum a denial of service type chance of exploiting the found vulnerability. In most cases, they represent memory corruption, stack corruption or other fatal error conditions. Some of these may lead exposure to typical buffer overflow exploits, allowing running of arbitrary code or modification of the target system.". Anything beyond that is just journalist speculation :-)
Looks like implementation by mikeborella · 2005-11-15 00:14 · Score: 3, Informative

Some lab ran a protocol tester against some ISAKMP implementations and found a few issues. No reason to panic as long as the vendors fix it. It is pretty common to fix these sorts of bugs it complicated protocols like ISAKMP.

--
Mike Borella http://www.borella.net/mike
1. Re:Looks like implementation by Homology · 2005-11-15 01:39 · Score: 1
  
  Some lab ran a protocol tester against some ISAKMP implementations and found a few issues. No reason to panic as long as the vendors fix it.
  Here is a concrete payoff of OpenBSD pro-active stance with respect to security: fixed early 2004.
  It is pretty common to fix these sorts of bugs it complicated protocols like ISAKMP.
  Yeah, complicated protocolls implementations are particularly suspectible to format string vulnerabilities and buffer overflows....
There's the problem by The+New+Andy · 2005-11-15 00:16 · Score: 1

By applying the OUSPG PROTOS ISAKMP Test Suite to a variety of products, several vulnerabilities can be revealed that can have varying effects.
Your TLAs are broken.
Gah, I like to think that I'm technically savy, but when there are 2 FLAs and a SLA in a row, and I don't know what any of them mean, I feel a little sad.
1. Re:There's the problem by Anonymous Coward · 2005-11-15 04:54 · Score: 0
  
  They wheren't warned, they just did a routine audit and code consolidation.
  That's OpenBSD's "proactive security".
Just when we all thought we where saved! by Anonymous Coward · 2005-11-15 00:16 · Score: 0

Just when we thought we where all going to be saved by a saint we all find out we are doomed!

If you happen to see this post even partly you can say the internet is still party working.
Well, I knew something was up... by Penguin+Follower · 2005-11-15 01:39 · Score: 2, Interesting

... since my router started randomly reloading a few days ago. I wonder if Cisco will release a patched version of the IOS that's free, cause I cannot afford the "cisco tax". I bought that router while I was a student ( and in the cisco academy program ) to practice with the IOS. I had been using the router for my cable connection since then. But, if I cannot get a free update I'll be going to get one of those inexpensive linksys or netgear routers for my home connection now.

Yay, I now have a $500 cisco paper weight.
1. Re:Well, I knew something was up... by KiloByte · 2005-11-15 02:17 · Score: 1
  
  A $50 PC may be louder and bulkier, but it's a whole hell more versatile.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
2. Re:Well, I knew something was up... by Anonymous Coward · 2005-11-15 02:25 · Score: 0
  
  I haven't looked that deeply into the flaw, but surely you can avoid the paperweight situation with a few simple access lists?
3. Re:Well, I knew something was up... by forged · 2005-11-15 02:37 · Score: 3, Informative
  
  No free software upgrade ?
  From the Cisco security advisory:
  Summary
  Multiple Cisco products contain vulnerabilities in the processing of IPSec IKE (Internet Key Exchange) messages. These vulnerabilities were identified by the University of Oulu Secure Programming Group (OUSPG) "PROTOS" Test Suite for IPSec and can be repeatedly exploited to produce a denial of service.
  Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. (emphasis mine)
  Then later in the same document, there's a whole section about Obtaining Fixed Software including a subsection for Customers without Service Contracts (emphasis mine) which I assume is your case.
4. Re:Well, I knew something was up... by Anonymous Coward · 2005-11-15 02:54 · Score: 0
  
  Nevermind him, it's an obvious troll who hasn't even RTFM.
5. Re:Well, I knew something was up... by Penguin+Follower · 2005-11-15 02:59 · Score: 1
  
  Well, I'll definitely give you the more versatile part. But, I want something quiet (there's enough noise in the computer room as it is!) and this router does use less power than the typical PC... well I suppose if I used a P233MMX system as a router it wouldn't be that bad on power, but used parts, meh, bad luck lately with used stuff. At least with a NEW network appliance I'm (in theory) getting a higher reliability device.
  
  Plus, I've already purchased it. :P
6. Re:Well, I knew something was up... by Penguin+Follower · 2005-11-15 03:03 · Score: 1
  
  Then later in the same document, there's a whole section about Obtaining Fixed Software including a subsection for Customers without Service Contracts (emphasis mine) which I assume is your case.
  
  Yes, that section would apply to me. I do not have a service contract with them. (Nor do I want one).
  
  Interestingly enough, though, is the fact that I don't even use VPN on this router... which leads me to believe I missed a previous DOS exploit for my router.
7. Re:Well, I knew something was up... by forged · 2005-11-15 03:26 · Score: 1
  
  I know what you mean. If I were in your case though, I would look at this as an opportunity to get a free upgrade from Cisco. I guess the router reboots which you've starting to experience have nothing with the flaw; as you say it's probably one of the numerous older published ones.
  I recently downloaded and gave a try to Auditor, which comes bundled with a list of exploits for nearly all recent software flaws (not just Cisco) and for which there is a public advisory and exploit code available. Scary, but necessary. In the wrong hands though, this can be turned into a powerful DOS software collection.
8. Re:Well, I knew something was up... by bill_mcgonigle · 2005-11-15 04:59 · Score: 1
  
  I tried this for a client last time one of these came around. I talked to a guy on the phone who, IIRC, had me send e-mails or fill out a web form. We tried three times and never got access.
  
  Maybe they just offer a ZIP of a .bin now (if so, somebody provide a link please), but at that time there were sufficient hoops to jump through to make some people just consider getting a contract.
  
  Did I mention linux is a fine router for loads smaller than the PCI bus can handle?
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
9. Re:Well, I knew something was up... by Penguin+Follower · 2005-11-15 05:19 · Score: 1
  
  Unfortunately, "jumping through hoops" is still necessary. You can only obtain an update by contacting Cisco's TAC either by phone or email. That get's the ball rolling.
10. Re:Well, I knew something was up... by Penguin+Follower · 2005-11-15 05:36 · Score: 1
  
  Thanks for the link to Auditor, I didn't know about that useful tool until your post. Yeah, it's scary knowing that some of the "wrong hands" probably do use it.
  
  I'll be taking a look at the previously known exploits on Cisco's site and seeing which one is probably the problem I experienced. I'll see about getting the patched IOS version. Eitherway, however, I'll more than likely be putting it on eBay even if I don't get the update. I'll just note in the auction that the buyer will need to obtain the update. :P
11. Re:Well, I knew something was up... by Cramer · 2005-11-15 06:47 · Score: 1
  
  Read the notice from Cisco. Yeah, it's a lot of words, but there are instructions for non-contract holders near the bottom... ask TAC for an update. (This is Cisco's standard practice, btw.) Note the word "update" not "upgrade", they will give you the nearest release fix with the same feature set. If you're running 12.2, you'll get a 12.2 image. If you aren't running a crypto image, you aren't entitled to anything because you aren't affected. For example, I'm running 12.4(3), so they'd send me 12.4(3b) not 12.4(5).
  
  Of course, there are "places" where you can "buy" IOS updates. *cough*ebay*cough* But it's not 100% legal.
12. Re:Well, I knew something was up... by forged · 2005-11-15 20:49 · Score: 1
  
  Nopes, Cisco won't post the software directly to you. They'll publish a download link to your Cisco.com profile so you can download the file using the access code provided in the email.
  Send me a 'show version' from the router and your Cisco.com username to my email addy, and I'll see what I can do ;)
OpenBSD? by Anonymous Coward · 2005-11-15 01:48 · Score: 0

Does anyone out there know if OpenBSD is affected or not?

TIA.
1. Re:OpenBSD? by Anonymous Coward · 2005-11-15 02:14 · Score: 1, Informative
  
  It was and fixed it in OpenBSD 3.4 which was released early 2004.
  
  Now almost 2 years latter, I am lost for words.
It's all in the timing by Landshark17 · 2005-11-15 01:58 · Score: 0

It's funny, the instant I saw this headline, I got booted from my wireless network. It uses, you guessed it, the Cisco VPN Client!

And then, not two minutes later, I got booted again while trying to preview the first half of this message.

--
This sig is false.
I'm not even going to say anything by grasshoppa · 2005-11-15 02:42 · Score: 1

I'm just going to link something: http://openvpn.net/

--
Mod me down with all of your hatred and your journey towards the dark side will be complete!
1. Re:I'm not even going to say anything by Kevin+DeGraaf · 2005-11-15 03:22 · Score: 1
  
  Amen. I wish I had modpoints today. OpenVPN rules. IPSEC is nasty.
  
  --
  We have more to fear from the bungling of the incompetent than from the machinations of the wicked.
Well that's pretty dumb. by Some+Random+Username · 2005-11-15 03:25 · Score: 2, Insightful

OpenVPN has had several VERY STUPID security problems discovered recently. Why not just keep using ipsec, but don't buy a shitty broken implimentation from cisco? http://www.openbsd.org/
1. Re:Well that's pretty dumb. by r_naked · 2005-11-15 05:09 · Score: 1
  
  While I agree there have been several security fixes recently, they have all dealt with issues that would require either an authenticated client or a compromised server. Actually there was one where if you disable logging (verb 0) on the server it could have resulted in disconnected clients.
  
  If your server is compromised you have bigger things to worry about than someone _maybe_ being able to execute arbitrary code on the client (who runs their client as root anyway). If you have a user with a valid key attacking your server you have bigger things to worry about also.
  
  As for the verb 0 issue .. yea, that was an oppps.
  
  --
  -- http://anonet.org -- The internet the way it was meant to be. Check it out, you may be surprised.
2. Re:Well that's pretty dumb. by Some+Random+Username · 2005-11-15 09:20 · Score: 1
  
  The severity of the flaws doesn't matter. The first time anyone spent any time looking at the code for flaws, they found a bunch of obvious and stupid flaws. Bugs that any reasonable programmer should have been smart enough not to create.
  
  And tons of people run their client as root, they have to in order to add routes. Just dropping priv later doesn't solve everything.
CheckPoint's Reply by xaosflux · 2005-11-15 05:00 · Score: 2, Informative

From CheckPoint Solutions:
Solution ID: #sk31316
Product: VPN-1/FireWall-1
Version: NG AI, NGX
Last Modified: 14-Nov-2005

Symptoms
On Monday, November 14th, NISCC has issued a warning about a possible denial of service condition for IKEv1. No known exploit exists.
(NISCC Vulnerability Advisory 273756)

Cause
This issue was identified using the PROTOS ISAKMP Test Suite for IKEv1 which was published through NISCC.

The issue is due to a problem with the implementation of the IKE protocol.
The issue might cause a crash of the IKE daemon (vpnd) during the processing of IKE packet 5.

An attacker needs to perform a full IKE negotiation with the attacked VPN gateway in order to cause the denial of service condition; no single packet attack is possible.
No further exploit is possible.
There is no possibility of code execution relating to this issue.
Given the nature of the issue, crafting an exploit is extremely difficult.

Solution
Install the latest HFA (HotFix Accumulator)
And, how do you get that update? by gordonb · 2005-11-15 06:12 · Score: 2, Interesting

Juniper does not issue patches to JunOS, including ex-Netscreen ScreenOS. In order to get the latest firmware, you must have a support contract with Juniper at a cost of hundreds to thousands per year per device. If you have let your contract lapse, you need to pay the fee for every year since your last subscription up to the present year. They will not simply sell you the firmware, even if you have a legitimate licencse and registered device. If you use an EOL device, such as the common Netscreen 5XP, you are SOL.
VPN Denial of Service? I don't think so... by Teddy_Roosevelt · 2005-11-15 08:41 · Score: 1

This is ridiculous!

We've been using this unpatched VPN to communicate to the outside world for months and we've never had any prob...[NO CARRIER]
Openswan released update by MikeBabcock · 2005-11-15 09:44 · Score: 1

Openswan has an announcement about this, and comments:

Versions of openswan-1 are (apparently) not vulnerable to this attack.

Versions of openswan-2 are (apparently) vulnerable to a Denial Of Service attack in two known cases.

One involves a crafted packet using 3DES with an invalid key length. One other is still unknown to us because no more information was provided. These two cases cannot be used to obtain elevated priviledges, since it is not possible to use these bugs to execute arbitrary code. These attacks are caught within our "assertion fail" verification code.

Today we have released openswan-2.4.2. This release fixes the 3DES related Denial Of Service attack.

We STRONGLY encourage CERT-FI and/or NISCC to give us access to the test kit if they are concerned about the second vulnerability and the impact of this advisory on the wide install base of Openswan-2 if those systems are left vulnerable to a DOS attack.

--
- Michael T. Babcock (Yes, I blog)
Okey, soooo.... by Kalzus · 2005-11-15 12:20 · Score: 2, Informative

They tested a bunch of implementations and a bunch of them failed out over 5000 different tests. How is this a problem with the protocol itself as opposed to how a bunch of vendors decided to implement it?

Might've been better phrased if it read as a vulnerability with "a number of popular implementations of IKEv1" as opposed to a vulnerability with the protocol.

--
"The Devil does not know a lot because He's the Devil, He knows a lot because he's old." -- unknown
So block the VPN ports by billstewart · 2005-11-16 04:03 · Score: 1

If you're not using the VPN features, then you can just block packets on Port 500 and you won't have to worry about it.

--

Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
1. Re:So block the VPN ports by Penguin+Follower · 2005-11-16 06:45 · Score: 1
  
  Well, that won't fix my particular problem since it's a prior exploit that is causing my problem. At any rate, VPN isn't even enabled. The router wouldn't have been accepting those packets anyway. Getting an updated version of the IOS for the exploit at hand, however, I find that Cisco wants to make the process as much of a PITA as possible; They'd rather I buy at service contract from them. (Not going to happen - My website is a hobby and not worth that much money). I bought a less expensive router that still meets my needs but is still probably overkill - at anyrate the firmware updates are free. ;)