Slashdot Mirror

← Back to Stories (view on slashdot.org)

VPN Flaw Allows Denial of Service

Posted by ScuttleMonkey on from the concrete-bunkers-and-razorwire dept.

An anonymous reader writes "Finnish researchers at the University of Oulu have found a vulnerability in ISAKMP (Internet Security Association and Key Management Protocol) -- the technology used in IPsec virtual private network and firewall products from a range of networking companies, including Cisco and Juniper Networks. Cisco said the security flaw could cause devices to reset over and over, which could cause a temporary denial-of-service attack. It did not mention the possibility of the device being taken over by an intruder, while Juniper said it has been aware of the problem since June, so software issued on or after July 28 provide fixes for the flaw."

6 of 64 comments (clear)

  1. This seems like a protocol issue by Anonymous Coward · · Score: 3, Insightful

    and not an implementation failure. So how exactly are individual vendors patching it without changing the protocol? Or are they making changes in the protocol that would be "invisible" to the outside world?

    1. Re:This seems like a protocol issue by JimBowen · · Score: 2, Insightful

      I expect it is just a hack which fixes the security hole, while causing the implementation to no longer comply with the standard for the protocol.
      Though one would hope this doesn't cause problems in itself.. :/

    2. Re:This seems like a protocol issue by Anonymous Coward · · Score: 1, Insightful

      They didn't get any warning. They fixed their IKE implementation years ago because they wanted to.

  2. There is not a lot of info on NISCC site by arivanov · · Score: 5, Insightful

    The blurb has nearly no meaningfull information whatsoever. The only meaningfull bit is the recommendation not to use aggressive mode.

    Well... We kind'a all know this already. The weaknesses of agressive mode were all over BUGTRAQ more then 2 years ago and if you are still using it you "Get whatever Christmas you deserve".

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/
  3. Summary by hal9000(jr) · · Score: 3, Insightful

    Feed a server carefully crafted, malformed packets and it may behave in unpredictable ways. We show that several IPSec implementations of IKE V1 don't behave properly.

    Not news kids, just development as usual.

    Oh, and I like the bit about "possibly executing code." That, I believe, is FUD. Prove that you can execute code.

  4. Well that's pretty dumb. by Some+Random+Username · · Score: 2, Insightful

    OpenVPN has had several VERY STUPID security problems discovered recently. Why not just keep using ipsec, but don't buy a shitty broken implimentation from cisco? http://www.openbsd.org/