7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
50.1%
Implementations of the IKEv2 protocol are vulnerable to network amplification attacks.
CWE-406: Insufficient Control of Network Message Volume (Network Amplification)
IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900% may be obtained from IKEv2 server implementations.
More details are provided in a white paper from the researcher.
An unauthenticated remote attacker may leverage the vulnerable IKE/IKEv2 server to conduct a distributed reflective denial-of-service (DRDoS) attack on another user.
The CERT/CC is currently unaware of a full solution to this problem. Some vendors have addressed this issue separately; please see the affected vendors list below.
Please consider one of the workarounds listed below.
A full solution may require revisions to RFC 7296 and/or RFC 2408.
Perform Egress Filtering
Configure your router/firewall to perform egress filtering, which may help to mitigate attacks that utilize source IP spoofing. Please refer to your product’s documentation for instructions on how to perform egress filtering.
419128
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: February 12, 2016 Updated: July 18, 2017
Statement Date: July 14, 2017
Affected
We have not received a statement from the vendor.
Oracle has provided a critical security patch for this issue, and assigned CVE-2017-10042 for it.
Notified: February 12, 2016 Updated: February 15, 2016
Statement Date: February 12, 2016
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 12, 2016 Updated: March 04, 2016
Statement Date: March 03, 2016
Not Affected
We have not received a statement from the vendor.
Microsoft does not believe any of its products are directly affected.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: March 01, 2016
Unknown
We have not received a statement from the vendor.
OpenBSD has their own from-scratch IKE daemon: <<http://www.openiked.org/>>
It is currently unclear if this daemon is vulnerable or has been patched.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: February 12, 2016 Updated: February 12, 2016
Unknown
We have not received a statement from the vendor.
View all 83 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 7.8 | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Temporal | 6.7 | E:POC/RL:W/RC:C |
Environmental | 6.7 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
Thanks to Chad Seaman of Akamai for reporting this vulnerability.
This document was written by Garret Wassermann.
CVE IDs: | None |
---|---|
Date Public: | 2016-02-25 Date First Published: |
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
50.1%