Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT

VPN Flaw Allows Denial of Service 64

An anonymous reader writes "Finnish researchers at the University of Oulu have found a vulnerability in ISAKMP (Internet Security Association and Key Management Protocol) -- the technology used in IPsec virtual private network and firewall products from a range of networking companies, including Cisco and Juniper Networks. Cisco said the security flaw could cause devices to reset over and over, which could cause a temporary denial-of-service attack. It did not mention the possibility of the device being taken over by an intruder, while Juniper said it has been aware of the problem since June, so software issued on or after July 28 provide fixes for the flaw."
This discussion has been archived. No new comments can be posted.

VPN Flaw Allows Denial of Service

Comments Filter:
  • by Anonymous Coward on Tuesday November 15, 2005 @05:16AM (#14033379)
    and not an implementation failure. So how exactly are individual vendors patching it without changing the protocol? Or are they making changes in the protocol that would be "invisible" to the outside world?
    • I expect it is just a hack which fixes the security hole, while causing the implementation to no longer comply with the standard for the protocol.
      Though one would hope this doesn't cause problems in itself.. :/
    • Oh Cisco... (Score:3, Funny)

      by emptycorp ( 908368 )
      Gotta love a company that keeps administrators like me with job security :)
    • Try again. (Score:5, Informative)

      by piranha(jpl) ( 229201 ) on Tuesday November 15, 2005 @05:46AM (#14033444) Homepage

      FTFA [uniras.gov.uk]:

      Multiple ISAKMP implementations behave in anomalous way when they receive and handle ISAKMP Phase 1 packets with invalid and/or abnormal contents. By applying the OUSPG PROTOS ISAKMP Test Suite to a variety of products, several vulnerabilities can be revealed that can have varying effects.

      That doesn't strike me as a protocol problem.

      • Re:Try again. (Score:1, Interesting)

        by Anonymous Coward
        True. I also did some work for the PROTOS project and it does not test protocols, but the implementation of protocols.
    • by Homology ( 639438 ) on Tuesday November 15, 2005 @06:26AM (#14033529)
      and not an implementation failure. So how exactly are individual vendors patching it without changing the protocol? Or are they making changes in the protocol that would be "invisible" to the outside world?

      The advisory says:

      Multiple ISAKMP implementations behave in anomalous way when they receive and handle ISAKMP Phase 1 packets with invalid and/or abnormal contents. By applying the OUSPG PROTOS ISAKMP Test Suite to a variety of products, several vulnerabilities can be revealed that can have varying effects.

      The OpenBSD developers fixed this early 2004 [neohapsis.com]:

      > I just tested our isakmpd(8) implementation against the PROTOS
      > test suite. No problems were detected. We performed an audit
      > of isakmpd's IKE parsing code back in early 2004 and made several
      > fixes (OpenBSD 3.4 timeframe).
      >
      > I also ran the PROTOS suite against tcpdump -vvv and saw no
      > problems.

      Please also note that both these programs are priv sep'd, so that
      in the event a bug is found, the impact will be much reduced.
      • By applying the OUSPG PROTOS ISAKMP Test Suite to a variety of products, several vulnerabilities can be revealed that can have varying effects.

        Your TLAs are broken.

        Gah, I like to think that I'm technically savy, but when there are 2 FLAs and a SLA in a row, and I don't know what any of them mean, I feel a little sad.

      • Nice to see Openbsd got previous warning, unlike other opensource implementations who got a 0day.......
    • Actually you are wrong, its an implementation fault and has nothing to do with the protocol
      description. Read the advisory: http://www.uniras.gov.uk/niscc/docs/br-20051114-01 013.html?lang=en [uniras.gov.uk]

      It specifically states implementation of protocol. The whole problem is related to incorrect
      parser engines of SNMP, IKEv1 and ASN.1 et al. type data structures.

      Arash Partow
  • Original publication (Score:3, Informative)

    by Anonymous Coward on Tuesday November 15, 2005 @05:20AM (#14033384)
    http://www.ee.oulu.fi/research/ouspg/protos/testin g/c09/isakmp/index.html [ee.oulu.fi]

    "ABSTRACT

    The Internet Security Association and Key Management Protocol (ISAKMP), is designed to establish, negotiate, modify and delete Security Associations. ISAKMP provides a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism. Internet Key Exchange (IKE), a derivate of ISAKMP, is a key protocol in the Internet Security Architecture (IPsec). A subset of IKE Phase 1 negotiation was chosen as the subject protocol for vulnerability assessment through syntax testing and test-suite creation. A survey of the related standards was made. Test-material was prepared and tests were carried out against a sample set of existing implementations. Results were gathered and reported. Some of the implementations available for evaluation failed to perform in a robust manner under the test. Some failures had information security implications, and should be considered as vulnerabilities. Therefore, this robustness test-material should be adopted for evaluation and development of ISAKMP/IKE products."
  • by arivanov ( 12034 ) on Tuesday November 15, 2005 @05:29AM (#14033405) Homepage
    The blurb has nearly no meaningfull information whatsoever. The only meaningfull bit is the recommendation not to use aggressive mode.

    Well... We kind'a all know this already. The weaknesses of agressive mode were all over BUGTRAQ more then 2 years ago and if you are still using it you "Get whatever Christmas you deserve".
  • by pe1chl ( 90186 ) on Tuesday November 15, 2005 @06:06AM (#14033487)
    We have been running IPsec on Cisco routers for quite some time.
    We have always had an explicit allow list for isakmp packets only for the known peers, and a deny with logging for all other sources.
    Over the years, there have been only very few logged packets. No need to tell you how many NETBIOS and other wellknown exploitable service packets have been counted (we don't even log these).

    It does not look like IPsec is a popular attack vector. Same for PPTP, by the way.
  • by jacoplane ( 78110 ) on Tuesday November 15, 2005 @06:43AM (#14033579) Homepage Journal
    "Juniper said it has been aware of the problem since June, so software issued on or after July 28 provide fixes for the flaw."

    Gee, thanks for letting the rest of the world know too!
    • So that means CISCOs Testing Team can be labelled as slackers ?
      eBay Sucks!
    • Juniper does not issue patches to JunOS, including ex-Netscreen ScreenOS. In order to get the latest firmware, you must have a support contract with Juniper at a cost of hundreds to thousands per year per device. If you have let your contract lapse, you need to pay the fee for every year since your last subscription up to the present year. They will not simply sell you the firmware, even if you have a legitimate licencse and registered device. If you use an EOL device, such as the common Netscreen 5XP, y
  • Summary (Score:4, Insightful)

    by hal9000(jr) ( 316943 ) on Tuesday November 15, 2005 @07:08AM (#14033636)
    Feed a server carefully crafted, malformed packets and it may behave in unpredictable ways. We show that several IPSec implementations of IKE V1 don't behave properly.

    Not news kids, just development as usual.

    Oh, and I like the bit about "possibly executing code." That, I believe, is FUD. Prove that you can execute code.
    • by pp ( 4753 )
      Typically not. Well, not all buffer overflows make code-execution possible, but with a smart enough exploiter quite a few things can, it's just not as straightforward... For a security researcher writing an exploit doesn't make much sense. The bug is there, the software crashes and should be fixed. Anything beyond that just helps the bad guys and takes lots of precious time.

      Mind you, the original page does say

      "Each failed test-case represents at minimum a denial of service type chance of exploiting the foun
  • by mikeborella ( 118715 ) on Tuesday November 15, 2005 @07:14AM (#14033662) Homepage
    Some lab ran a protocol tester against some ISAKMP implementations and found a few issues. No reason to panic as long as the vendors fix it. It is pretty common to fix these sorts of bugs it complicated protocols like ISAKMP.
    • Some lab ran a protocol tester against some ISAKMP implementations and found a few issues. No reason to panic as long as the vendors fix it.

      Here is a concrete payoff of OpenBSD pro-active stance with respect to security: fixed early 2004 [neohapsis.com].

      It is pretty common to fix these sorts of bugs it complicated protocols like ISAKMP.

      Yeah, complicated protocolls implementations are particularly suspectible to format string vulnerabilities and buffer overflows....

  • by Penguin Follower ( 576525 ) <scrose1978&gmail,com> on Tuesday November 15, 2005 @08:39AM (#14033991) Journal
    ... since my router started randomly reloading a few days ago. I wonder if Cisco will release a patched version of the IOS that's free, cause I cannot afford the "cisco tax". I bought that router while I was a student ( and in the cisco academy program ) to practice with the IOS. I had been using the router for my cable connection since then. But, if I cannot get a free update I'll be going to get one of those inexpensive linksys or netgear routers for my home connection now.

    Yay, I now have a $500 cisco paper weight.
    • A $50 PC may be louder and bulkier, but it's a whole hell more versatile.
      • Well, I'll definitely give you the more versatile part. But, I want something quiet (there's enough noise in the computer room as it is!) and this router does use less power than the typical PC... well I suppose if I used a P233MMX system as a router it wouldn't be that bad on power, but used parts, meh, bad luck lately with used stuff. At least with a NEW network appliance I'm (in theory) getting a higher reliability device.

        Plus, I've already purchased it. :P

    • by forged ( 206127 ) on Tuesday November 15, 2005 @09:37AM (#14034389) Homepage Journal
      No free software upgrade ?

      From the Cisco security advisory [cisco.com]:

      Summary

      Multiple Cisco products contain vulnerabilities in the processing of IPSec IKE (Internet Key Exchange) messages. These vulnerabilities were identified by the University of Oulu Secure Programming Group (OUSPG) "PROTOS" Test Suite for IPSec and can be repeatedly exploited to produce a denial of service.

      Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. (emphasis mine)

      Then later in the same document, there's a whole section about Obtaining Fixed Software including a subsection for Customers without Service Contracts (emphasis mine) which I assume is your case.

      • Then later in the same document, there's a whole section about Obtaining Fixed Software including a subsection for Customers without Service Contracts (emphasis mine) which I assume is your case.

        Yes, that section would apply to me. I do not have a service contract with them. (Nor do I want one).

        Interestingly enough, though, is the fact that I don't even use VPN on this router... which leads me to believe I missed a previous DOS exploit for my router.

        • I know what you mean. If I were in your case though, I would look at this as an opportunity to get a free upgrade from Cisco. I guess the router reboots which you've starting to experience have nothing with the flaw; as you say it's probably one of the numerous [cisco.com] older published ones.

          I recently downloaded and gave a try to Auditor [distrowatch.com], which comes bundled with a list of exploits for nearly all recent software flaws (not just Cisco) and for which there is a public advisory and exploit code available. Scary, but

          • Thanks for the link to Auditor, I didn't know about that useful tool until your post. Yeah, it's scary knowing that some of the "wrong hands" probably do use it.

            I'll be taking a look at the previously known exploits on Cisco's site and seeing which one is probably the problem I experienced. I'll see about getting the patched IOS version. Eitherway, however, I'll more than likely be putting it on eBay even if I don't get the update. I'll just note in the auction that the buyer will need to obtain the updat

        • If you're not using the VPN features, then you can just block packets on Port 500 and you won't have to worry about it.
          • Well, that won't fix my particular problem since it's a prior exploit that is causing my problem. At any rate, VPN isn't even enabled. The router wouldn't have been accepting those packets anyway. Getting an updated version of the IOS for the exploit at hand, however, I find that Cisco wants to make the process as much of a PITA as possible; They'd rather I buy at service contract from them. (Not going to happen - My website is a hobby and not worth that much money). I bought a less expensive router that st
      • I tried this for a client last time one of these came around. I talked to a guy on the phone who, IIRC, had me send e-mails or fill out a web form. We tried three times and never got access.

        Maybe they just offer a ZIP of a .bin now (if so, somebody provide a link please), but at that time there were sufficient hoops to jump through to make some people just consider getting a contract.

        Did I mention linux is a fine router for loads smaller than the PCI bus can handle?
        • Unfortunately, "jumping through hoops" is still necessary. You can only obtain an update by contacting Cisco's TAC either by phone or email. That get's the ball rolling.
        • Nopes, Cisco won't post the software directly to you. They'll publish a download link to your Cisco.com profile so you can download the file using the access code provided in the email.

          Send me a 'show version' from the router and your Cisco.com username to my email addy, and I'll see what I can do ;)

    • Read the notice from Cisco. Yeah, it's a lot of words, but there are instructions for non-contract holders near the bottom... ask TAC for an update. (This is Cisco's standard practice, btw.) Note the word "update" not "upgrade", they will give you the nearest release fix with the same feature set. If you're running 12.2, you'll get a 12.2 image. If you aren't running a crypto image, you aren't entitled to anything because you aren't affected. For example, I'm running 12.4(3), so they'd send me 12.4(3b)
  • I'm just going to link something: http://openvpn.net/ [openvpn.net]
    • Amen. I wish I had modpoints today. OpenVPN rules. IPSEC is nasty.
    • OpenVPN has had several VERY STUPID security problems discovered recently. Why not just keep using ipsec, but don't buy a shitty broken implimentation from cisco? http://www.openbsd.org/ [openbsd.org]
      • While I agree there have been several security fixes recently, they have all dealt with issues that would require either an authenticated client or a compromised server. Actually there was one where if you disable logging (verb 0) on the server it could have resulted in disconnected clients.

        If your server is compromised you have bigger things to worry about than someone _maybe_ being able to execute arbitrary code on the client (who runs their client as root anyway). If you have a user with a valid key atta
        • The severity of the flaws doesn't matter. The first time anyone spent any time looking at the code for flaws, they found a bunch of obvious and stupid flaws. Bugs that any reasonable programmer should have been smart enough not to create.

          And tons of people run their client as root, they have to in order to add routes. Just dropping priv later doesn't solve everything.
  • CheckPoint's Reply (Score:2, Informative)

    by xaosflux ( 917784 )
    From CheckPoint Solutions:
    Solution ID: #sk31316
    Product: VPN-1/FireWall-1
    Version: NG AI, NGX
    Last Modified: 14-Nov-2005

    Symptoms
    On Monday, November 14th, NISCC has issued a warning about a possible denial of service condition for IKEv1. No known exploit exists.
    (NISCC Vulnerability Advisory 273756)

    Cause
    This issue was identified using the PROTOS ISAKMP Test Suite for IKEv1 which was published through NISCC.

    The issue is due to a problem with the implementation of the IKE protocol.
    The issue might cause a crash of
  • This is ridiculous!

    We've been using this unpatched VPN to communicate to the outside world for months and we've never had any prob...[NO CARRIER]
  • Openswan has an announcement [openswan.org] about this, and comments:

    Versions of openswan-1 are (apparently) not vulnerable to this attack.

    Versions of openswan-2 are (apparently) vulnerable to a Denial Of Service attack in two known cases.

    One involves a crafted packet using 3DES with an invalid key length. One other is still unknown to us because no more information was provided. These two cases cannot be used to obtain elevated priviledges, since it is not possible to use these bugs to execute arbitrary code. These attac

  • Okey, soooo.... (Score:3, Informative)

    by Kalzus ( 86795 ) on Tuesday November 15, 2005 @07:20PM (#14039822)
    They tested a bunch of implementations and a bunch of them failed out over 5000 different tests. How is this a problem with the protocol itself as opposed to how a bunch of vendors decided to implement it?

    Might've been better phrased if it read as a vulnerability with "a number of popular implementations of IKEv1" as opposed to a vulnerability with the protocol.

This is now. Later is later.

Working...