Multiple vulnerabilities in Internet Key Exchange (IKE) version 1 implementations

2005-11-17T00:00:00
ID VU:226364
Type cert
Reporter CERT
Modified 2006-01-03T00:00:00

Description

Overview

Numerous vulnerabilities have been reported in various Internet Key Exchange version 1 (IKEv1) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause an IKEv1 implementation to behave in an unstable/unpredictable manner.

Description

The U.K. National Infrastructure Security Co-ordination Center (NISCC) and CERT-FI have reported numerous vulnerabilities in IKEv1 implementations. The IKE protocol (RFC 2409) operates within the framework of the Internet Security Association (SA) and Key Management Protocol (ISAKMP, RFC 2408) and provides a way for nodes to authenticate each other and exchange keying material that is used to establish secure network services. IKE is commonly used by IPSec-based VPNs. The IKE negotiation process consists of two phases. Phase 1 establishes an ISAKMP SA. Phase 2 is used to create SAs for other security protocols.

These vulnerabilities were discovered using the PROTOS Test Tool developed by Oulu University Secure Programming Group (OUSPG). The results of the tests are described in NISCC Vulnerability Advisory 273756/NISCC/ISAKMP. According to that advisory, many IKEv1 implementations contain buffer overflow, format string, and other unspecified vulnerabilities in phase 1 of IKEv1. Exploitation of these vulnerabilities may allow a remote attacker to compromise a system's security.


Impact

These vulnerabilities may allow a remote attacker to execute arbitrary code, cause a denial-of-service condition, gain access to sensitive information, or cause an IKEv1 implementation to behave in an unstable/unpredictable manner. In addition, many of these vulnerabilities may be exploited remotely by sending a specially crafted packet to a vulnerable IKEv1 installation.


Solution

Apply a patch from an affected product vendor


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Check Point Software Technologies| | 15 Nov 2005| 17 Nov 2005
Cisco Systems, Inc.| | 15 Nov 2005| 17 Nov 2005
Fortinet, Inc.| | 15 Nov 2005| 12 Dec 2005
Hewlett-Packard Company| | 15 Nov 2005| 17 Nov 2005
NEC Corporation| | 15 Nov 2005| 16 Dec 2005
Nortel Networks, Inc.| | 15 Nov 2005| 30 Nov 2005
Openswan Linux IPsec software| | 15 Nov 2005| 17 Nov 2005
QNX, Software Systems, Inc.| | 15 Nov 2005| 02 Dec 2005
Stonesoft| | 15 Nov 2005| 17 Nov 2005
Sun Microsystems, Inc.| | 15 Nov 2005| 17 Nov 2005
Hitachi| | 15 Nov 2005| 03 Jan 2006
Intoto| | 15 Nov 2005| 17 Nov 2005
Microsoft Corporation| | 15 Nov 2005| 15 Nov 2005
3com, Inc.| | 15 Nov 2005| 15 Nov 2005
Alcatel| | 15 Nov 2005| 15 Nov 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp>
  • <http://www.ficora.fi/suomi/tietoturva/varoitukset/varoitus-2005-82.htm>
  • <http://www.auscert.org.au/5748>
  • <http://jvn.jp/niscc/NISCC-273756/index.html>
  • <http://www.niscc.gov.uk/niscc/docs/re-20051114-01014.pdf?lang=en>
  • <http://secunia.com/advisories/17608/>
  • <http://secunia.com/advisories/17621/>
  • <http://secunia.com/advisories/17553/>
  • <http://secunia.com/advisories/17684/>
  • <http://secunia.com/advisories/17668/>
  • <http://secunia.com/advisories/17663/>
  • <http://secunia.com/advisories/17838/>

Credit

These vulnerabilities were reported by NISCC and CERT-FI

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: Unknown
  • Date Public: 14 Nov 2005
  • Date First Published: 17 Nov 2005
  • Date Last Updated: 03 Jan 2006
  • Severity Metric: 16.54
  • Document Revision: 31