Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Cisco VPN 3000 Concentrator IKE v1 Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1016582
|
|
SecurityTracker URL: http://securitytracker.com/id?1016582
|
|
CVE Reference: CVE-2006-3906
(Links to External Site)
|
Updated: Jun 13 2008
|
Original Entry Date: Jul 26 2006
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Version(s): 3000 series
|
Description: A vulnerability was reported in Cisco VPN 3000 Concentrator. A remote user can cause denial of service conditions.
A remote user can send a high rate of Internet Key Exchange (IKE) Phase-1 requests to prevent valid clients from connecting or re-keying.
The
target concentrator may be affected by packets sent at a rate of 2 packets per second and becomes unusable when packets are sent
at a rate of 10 packets per second. The attack does not require high bandwidth.
One the packet flood stops, the target device
will return to normal operations.
The attack does not affect existing VPN tunnels (unless the tunnel needs to rekey).
Cisco
has assigned Cisco Bug IDs CSCse70811, CSCdt92467, and CSCsb51032 to this vulnerability.
The vendor was notified on July 4, 2005.
The
original advisory is available at:
http://www.nta-monitor.com/posts/2006/07/cisco-concentrator-dos.html
Roy Hills from NTA
Monitor reported this vulnerability.
|
Impact: A remote user can cause denial of service conditions.
|
Solution: No solution was available at the time of this entry.
Cisco notes that this vulnerability is inherent in the IKE version 1 protocol
and is not specific to any vendor implementation. Other Cisco products that use this version of the protocol are the PIX and ASA
security appliances and Cisco IOS software. On Cisco IOS, the vulnerability can be mitigated using the "Call Admission Control
for IKE" feature:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a0080229125.html
The Cisco
response is available at:
http://www.cisco.com/warp/public/707/cisco-sr-20060726-ike.shtml
|
Vendor URL: www.cisco.com/warp/public/707/cisco-sr-20060726-ike.shtml (Links to External Site)
|
Cause: Resource error
|
Reported By: Roy Hills <Roy.Hills@nta-monitor.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 26 Jul 2006 14:57:31 +0100
From: Roy Hills <Roy.Hills@nta-monitor.com>
Subject: [Full-disclosure] Cisco VPN Concentrator IKE resource exhaustion
|
Cisco VPN Concentrator IKE resource exhaustion DoS Advisory
1. Overview
NTA Monitor discovered a denial of service vulnerability in the Cisco
VPN 3000 series concentrator products while performing a VPN security
test for a customer in July 2005.
The vulnerability affects Phase-1 of the IKE protocol. Both Main Mode
and Aggressive Mode over both UDP and TCP transports are affected.
The vulnerability allows an attacker to exhaust the IKE resources on
a VPN concentrator by sending a high rate of IKE requests, which will
prevent valid clients from connected or re-keying. The attack does
not require a high bandwidth, so one attacker could potentially
target many concentrators.
This mechanism behind this vulnerability is similar to the well-known
TCP SYN flood vulnerability.
2. Vulnerability Details
The vulnerability allows an attacker to exhaust the IKE resources on
a remote VPN concentrator by starting new IKE sessions faster than
the concentrator expires them from its queue. By doing this, the
attacker fills up the concentrator's queue, which prevents it from
handling valid IKE requests.
The exploit involves sending IKE Phase-1 packets containing an
acceptable transform. It is not necessary to have valid credentials
in order to exploit this vulnerability, as the problem occurs before
the authentication stage. The vulnerability affects both Main Mode
and Aggressive Mode, and both normal IKE over UDP and Cisco
proprietary TCP-encapsulated IKE.
In order to exploit the vulnerability, the attacker needs to send IKE
packets at a rate which exceeds the Concentrator's IKE session expiry
rate. Tests show that the target concentrator starts to be affected
at a rate of 2 packets per second, and is becomes unusable at 10
packets per second. As a minimal Main Mode packet with a single
transform is 112 bytes long, 10 packets per second corresponds to a
data rate of slightly less than 9,000 bits per second.
The concentrator will remain unable to process IKE requests as long
as the flow of packets continues. Once the flow stops, the
concentrator will return to normal operation as the negotiation queue drains.
It is not normally possible to block public inbound access to the IKE
service on the VPN concentrator, because it is required for remote
access IPsec operation. As IKE normally uses the UDP transport
protocol, the attacker may forge the packet's source IP address to
avoid identification, or to prevent the victim from blocking the
traffic with ingress filtering. In addition, IDS/IPS systems will
probably not be able to detect the attack, because the packets are
valid IKE packets.
It is possible for attackers to detect and fingerprint Cisco VPN
concentrators using the IKE fingerprinting techniques that we have
previously published in VPN security white papers. Therefore users
should not assume that their concentrator is invisible just because
it's not published in the DNS and is not running any TCP services.
The symptoms are that the target concentrator won't respond to IKE
requests from any source when all the negotiation slots are filled.
This means that new clients will be unable to connect, and Phase-1
re-keying attempts will fail. It is not known if Phase-2 re-keying is
also affected. Traffic over existing VPN tunnels should not be
affected until they need to re-key.
The mechanism behind this vulnerability is similar to that behind the
well-known TCP SYN flood issue. In both cases the target system has a
stateful mechanism for recording outstanding negotiations, uses a
fixed-size list to store negotiations in progress, and does not
require any authentication in order to start a negotiation.
3. Example
We are not planning to release examples of how to exploit this
vulnerability until it has been addressed and users have had an
opportunity to apply the fix or workaround.
4. Affected Versions
The issue is believed to affect all models of Cisco VPN 3000
Concentrator: 3005, 3015, 3020, 3030, 3060 and 3080. It is suspected
that other cisco products that support IKE may also be affected, but
this has not been confirmed.
5. Solution
There is no known fix or workaround at this time.
6. Timeline
The vulnerability was first discovered on 4th July 2005, and was
reported to Cisco's security team (PSIRT) the same day. Cisco
responded on 9th August 2005, but no further progress has been made.
7. References
NTA Monitor advisory
http://www.nta-monitor.com/posts/2006/07/cisco-concentrator-dos.html
Roy Hills
NTA Monitor Ltd
--
Roy Hills Tel: +44 1634 721855
NTA Monitor Ltd FAX: +44 1634 721844
14 Ashford House, Beaufort Court,
Medway City Estate, Email: Roy.Hills@nta-monitor.com
Rochester, Kent ME2 4FA,
UK WWW: http://www.nta-monitor.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
Go to the Top of This SecurityTracker Archive Page
|
