Vulnerability Note VU#287771

Multiple vendors' Internet Key Exchange (IKE) implementations do not properly handle IKE response packets

Original Release date: 12 Aug 2002 | Last revised: 09 Feb 2004

Overview

Internet Key Exchange (IKE) implementations from several vendors contain buffer overflows and denial-of-service conditions. The buffer overflow vulnerabilities could permit an attacker to execute arbitrary code on a vulnerable system.

Description

The CERT/CC has received a report describing several vulnerabilities in different vendors' IKE implementations. The IKE protocol (RFC 2409) operates within the framework of the Internet Security Association and Key Management Protocol (ISAKMP, RFC 2408) and provides a way for nodes to authenticate each other and exchange keying material that is used to establish secure network services. IKE is commonly used by IPSec-based VPNs.

During an IKE exchange, some IKE implementations do not properly handle exceptional response packets. The report enumerates several cases:

  • IKE represents the ISAKMP security association (SA) in the Security Paramater Index (SPI) field of a response packet. An overly large SPI payload value could trigger a buffer overflow.
  • An IKE response packet with a large number of payloads or an overly large payload could trigger buffer overflows.
  • An IKE response packet with a payload length of zero could cause vulnerable IKE implementations to consume CPU resources, causing a denial-of-service condition.
These problems have been shown to exist in IPSec-based VPN client software operating in Aggressive Mode during a phase 1 IKE exchange. Other software and other types of exchanges may also be affected.

Impact

An attacker who is able to send solicited IKE responses could execute arbitrary code with the privileges of the IKE service or cause a denial of service. The attacker must act as an IKE responder, so therefore must have control over the responder, the ability to spoof IKE response packets, or the ability to redirect the IKE initiator to a responder controlled by the attacker.

Solution

Upgrade or Patch
Upgrade or apply a patch to vulnerable IKE software as specified by your vendor.


Block or Restrict Access

Using a firewall or other packet filtering technology, block or restrict access to the IKE service, 500/udp. Note that blocking access will effectively disable an IPSec-based VPN that relies on IKE for key exchange.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Cisco Systems Inc.Affected08 May 200209 Aug 2002
NetScreenAffected-05 Feb 2003
Network AssociatesAffected08 May 200210 Sep 2002
OpenBSDAffected02 Jul 200205 Feb 2003
PGPAffected10 May 200205 Sep 2002
SafeNetAffected13 May 200220 Aug 2002
SonicWALL Inc.Affected-01 Apr 2003
Apple Computer Inc.Not Affected02 Jul 200206 Aug 2002
ClavisterNot Affected-05 Sep 2002
Cray Inc.Not Affected02 Jul 200206 Aug 2002
FreeBSDNot Affected02 Jul 200205 Sep 2002
FujitsuNot Affected02 Jul 200212 Aug 2002
Hewlett-Packard CompanyNot Affected02 Jul 200205 Feb 2003
HitachiNot Affected-05 Sep 2002
IBMNot Affected02 Jul 200211 Dec 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks Anton Rager of Avaya Security Consulting Services from Avaya, Inc. for reporting this vulnerability and providing information used in this document.

This document was written by Art Manion.

Other Information

  • CVE IDs: Unknown
  • Date Public: 14 Aug 2002
  • Date First Published: 12 Aug 2002
  • Date Last Updated: 09 Feb 2004
  • Severity Metric: 1.03
  • Document Revision: 52

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.