Slashdot Mirror

← Back to Stories (view on slashdot.org)

VPN Flaw Allows Denial of Service

Posted by ScuttleMonkey on from the concrete-bunkers-and-razorwire dept.

An anonymous reader writes "Finnish researchers at the University of Oulu have found a vulnerability in ISAKMP (Internet Security Association and Key Management Protocol) -- the technology used in IPsec virtual private network and firewall products from a range of networking companies, including Cisco and Juniper Networks. Cisco said the security flaw could cause devices to reset over and over, which could cause a temporary denial-of-service attack. It did not mention the possibility of the device being taken over by an intruder, while Juniper said it has been aware of the problem since June, so software issued on or after July 28 provide fixes for the flaw."

4 of 64 comments (clear)

  1. There does not seem to be any IPsec exploiting by pe1chl · · Score: 4, Interesting

    We have been running IPsec on Cisco routers for quite some time.
    We have always had an explicit allow list for isakmp packets only for the known peers, and a deny with logging for all other sources.
    Over the years, there have been only very few logged packets. No need to tell you how many NETBIOS and other wellknown exploitable service packets have been counted (we don't even log these).

    It does not look like IPsec is a popular attack vector. Same for PPTP, by the way.

  2. Re:Try again. by Anonymous Coward · · Score: 1, Interesting

    True. I also did some work for the PROTOS project and it does not test protocols, but the implementation of protocols.

  3. Well, I knew something was up... by Penguin+Follower · · Score: 2, Interesting

    ... since my router started randomly reloading a few days ago. I wonder if Cisco will release a patched version of the IOS that's free, cause I cannot afford the "cisco tax". I bought that router while I was a student ( and in the cisco academy program ) to practice with the IOS. I had been using the router for my cable connection since then. But, if I cannot get a free update I'll be going to get one of those inexpensive linksys or netgear routers for my home connection now.

    Yay, I now have a $500 cisco paper weight.

  4. And, how do you get that update? by gordonb · · Score: 2, Interesting

    Juniper does not issue patches to JunOS, including ex-Netscreen ScreenOS. In order to get the latest firmware, you must have a support contract with Juniper at a cost of hundreds to thousands per year per device. If you have let your contract lapse, you need to pay the fee for every year since your last subscription up to the present year. They will not simply sell you the firmware, even if you have a legitimate licencse and registered device. If you use an EOL device, such as the common Netscreen 5XP, you are SOL.