Slashdot Mirror

← Back to Stories (view on slashdot.org)

VPN Flaw Allows Denial of Service

Posted by ScuttleMonkey on from the concrete-bunkers-and-razorwire dept.

An anonymous reader writes "Finnish researchers at the University of Oulu have found a vulnerability in ISAKMP (Internet Security Association and Key Management Protocol) -- the technology used in IPsec virtual private network and firewall products from a range of networking companies, including Cisco and Juniper Networks. Cisco said the security flaw could cause devices to reset over and over, which could cause a temporary denial-of-service attack. It did not mention the possibility of the device being taken over by an intruder, while Juniper said it has been aware of the problem since June, so software issued on or after July 28 provide fixes for the flaw."

5 of 64 comments (clear)

  1. There is not a lot of info on NISCC site by arivanov · · Score: 5, Insightful

    The blurb has nearly no meaningfull information whatsoever. The only meaningfull bit is the recommendation not to use aggressive mode.

    Well... We kind'a all know this already. The weaknesses of agressive mode were all over BUGTRAQ more then 2 years ago and if you are still using it you "Get whatever Christmas you deserve".

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/
  2. Try again. by piranha(jpl) · · Score: 4, Informative

    FTFA:

    Multiple ISAKMP implementations behave in anomalous way when they receive and handle ISAKMP Phase 1 packets with invalid and/or abnormal contents. By applying the OUSPG PROTOS ISAKMP Test Suite to a variety of products, several vulnerabilities can be revealed that can have varying effects.

    That doesn't strike me as a protocol problem.

  3. There does not seem to be any IPsec exploiting by pe1chl · · Score: 4, Interesting

    We have been running IPsec on Cisco routers for quite some time.
    We have always had an explicit allow list for isakmp packets only for the known peers, and a deny with logging for all other sources.
    Over the years, there have been only very few logged packets. No need to tell you how many NETBIOS and other wellknown exploitable service packets have been counted (we don't even log these).

    It does not look like IPsec is a popular attack vector. Same for PPTP, by the way.

  4. Re:This seems like a protocol issue by Homology · · Score: 4, Informative
    and not an implementation failure. So how exactly are individual vendors patching it without changing the protocol? Or are they making changes in the protocol that would be "invisible" to the outside world?

    The advisory says:

    Multiple ISAKMP implementations behave in anomalous way when they receive and handle ISAKMP Phase 1 packets with invalid and/or abnormal contents. By applying the OUSPG PROTOS ISAKMP Test Suite to a variety of products, several vulnerabilities can be revealed that can have varying effects.

    The OpenBSD developers fixed this early 2004 :

    > I just tested our isakmpd(8) implementation against the PROTOS
    > test suite. No problems were detected. We performed an audit
    > of isakmpd's IKE parsing code back in early 2004 and made several
    > fixes (OpenBSD 3.4 timeframe).
    >
    > I also ran the PROTOS suite against tcpdump -vvv and saw no
    > problems.

    Please also note that both these programs are priv sep'd, so that
    in the event a bug is found, the impact will be much reduced.
  5. Thanks Jupiner! by jacoplane · · Score: 5, Funny

    "Juniper said it has been aware of the problem since June, so software issued on or after July 28 provide fixes for the flaw."

    Gee, thanks for letting the rest of the world know too!