Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Cisco and Juniper - ISAKMP Protocol - Multiple Vulnerability Issues - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cisco and Juniper - ISAKMP Protocol - Multiple Vulnerability Issues
CERT-FI and the NISCC Vulnerability Team published an advisory for an ISAKMP issue which "was identified by the Oulu University Secure Programming Group (OUSPG) from the University of Oulu in Finland.".

Juniper rates this as High risk.

Cisco says "When receiving certain malformed packets, vulnerable Cisco devices may reset, causing a temporary Denial of Service (DoS)."

Openswan's announcement - Openswan response to NISCC Vulnerability Advisory 273756/NISCC/ISAKMP
"Openswan is an implementation of IPsec for Linux. It supports kernels 2.0, 2.2, 2.4 and 2.6, and runs on many different platforms, including x86, x86_64, ia64, MIPS and ARM."

UPDATE
StoneGate's advisory says their "Firewall and VPN engine versions 2.6.0 and earlier use a vulnerable version of IKEv1 implementation." "Severity: High". "Recommended Actions: All StoneGate Firewall and VPN users should upgrade their StoneGate Firewall and VPN engines to version 2.6.1 or later.".

UPDATE
Secgo has an announcement that says "The following Crypto IP gateway and client versions are vulnerable:
 Crypto IP gateway/client 2.3 (all 2.3 versions)
 Crypto IP gateway/client 3.0.0 - 3.0.82
 Crypto IP client 3.1 (all 3.1 versions)
 Crypto IP gateway/client 3.2.0 - 3.2.26".


Original CERT -FI/NISCC announcements posted here; CERT-FI and NISCC

From the advisory:

"The vulnerabilities described in this advisory affect the Internet Security
Association and Key Management Protocol (ISAKMP), which is used to provide
associations for other security protocols."

"Impact
------
The severity of these vulnerabilities varies by vendor, please see the "Vendor
Information" section below for further information or contact your vendor for
product specific information. These flaws may expose Denial-of-Service conditions,
format string vulnerabilities, and buffer overflows. In some cases, it may be
possible for an attacker to execute code. 

ISAKMP/IKE client applications may be harder to attack than server applications
because in some cases, it may be required that clients initialise the negotiation."

Some information in the Vendor advisory;

"Juniper Networks, Inc
Bulletin Number: PSN-2005-11-007
Title: IKE version 1 vulnerability issues resulting from OUSPG ISAKMP Test Suite (NISCC/ISAKMP/273756)
Products Affected: All Juniper Networks M/T/J/E-series routers.
Platforms Affected: JUNOS Security / JUNOSe Security"

"Risk Level: High"

"Risk Assessment:
Juniper Networks JUNOS and JUNOSe software is susceptible to certain IPSec ISAKMP/IKE vulnerabilities as exposed by theOUSPG ISAKMP/IKE test suite. Risk assessment is high for Juniper Networks E/M/T/J-series routers."

"Vendor Information"
------------------
"A complete list of vendor responses to this vulnerability are not currently
available. Please visit the web site at http://www.niscc.gov.uk/niscc/vulnAdv-en.html
in order to view the latest vendor statements."

Research
Oulu University Secure Programming Group PROTOS Test-Suite: c09-isakmp
Patrick

193 Posts

Sign Up for Free or Log In to start participating in the conversation!