Information Security Bulletin

DoS Against Cisco VPN 3000

02 Aug 11:15

NTA Monitor has discovered a Denial of Service vulnerability in the Cisco VPN 3000 series concentrator products while performing a VPN security test for a customer. The vulnerability affects Phase-1 of the IKE protocol in both Main Mode and Aggressive Mode over both UDP and TCP transports.

The vulnerability allows an attacker to exhaust the IKE resources on a remote VPN concentrator by starting new IKE sessions faster than the concentrator expires them from its queue. By doing this, the attacker fills up the concentrator's queue, which prevents it from handling valid IKE requests to connect or re-key. The attack does not require a high bandwidth, so one attacker could potentially target many concentrators.

In order to exploit the vulnerability, an attacker needs to send IKE packets at a rate which exceeds the concentrator's IKE session expiry rate. Tests show that the target concentrator starts to be affected at a rate of 2 packets per second, and becomes unusable at 10 packets per second. As a minimal Main Mode packet with a single transform is 112 bytes long, 10 packets per second corresponds to a data rate of slightly less than 9,000 bits per second. The concentrator will remain unable to process IKE requests as long as the flow of packets continues. Once the flow stops, the concentrator will return to normal operation as the negotiation queue drains.

It is not normally possible to block public inbound access to the IKE service on the VPN concentrator, because it is required for remote access IPsec operation. It is possible for attackers to detect and fingerprint Cisco VPN concentrators using the IKE fingerprinting techniques previously published in NTA's VPN security white paper, issued in January 2005. Therefore users should not assume that their concentrator is invisible just because it's not published in the DNS and is not running any TCP services.

The vulnerability was first discovered on 4th July 2005 and was reported to Cisco's security team (PSIRT) the same day. Cisco responded on 9 August 2005 and subsequently on 24July 2006, but no further progress has been made for over a year since finding this flaw. There is no known fix or workaround at this time.

The issue is believed to affect all models of Cisco VPN 3000 Concentrator: 3005, 3015, 3020, 3030, 3060 and 3080. It is suspected that other Cisco products that support IKE may also be affected, but this has not been confirmed.

View printable version (opens in new window)
Back

Search ISB News:

Not yet sure you want to subscribe? Download a free sample copy!

Download the much quoted October Editorial

Portal Frontpage
Web Editorial
About This Portal
Contact Info

IS Alerts
General News
Product News
Vendor News
People News
Literature
Events
CHI News

Subscribe Online
About ISB
Publishing in ISB
Advertising in ISB
PR Information

In the current issue:

Security Management
The Importance of Adaptability
Steve Purser

From the Trenches
Reversing Perimeter Defences – a Case Study
Søren Maigaard

Security Architectures
The Self Defending Network: New Trends In ICT Security Infrastructures
Drs. Ing. René Pluis

Subscribe Online!