SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#287771

Multiple vendors' Internet Key Exchange (IKE) implementations do not properly handle IKE response packets

Overview

Internet Key Exchange (IKE) implementations from several vendors contain buffer overflows and denial-of-service conditions. The buffer overflow vulnerabilities could permit an attacker to execute arbitrary code on a vulnerable system.

I. Description

The CERT/CC has received a report describing several vulnerabilities in different vendors' IKE implementations. The IKE protocol (RFC 2409) operates within the framework of the Internet Security Association and Key Management Protocol (ISAKMP, RFC 2408) and provides a way for nodes to authenticate each other and exchange keying material that is used to establish secure network services. IKE is commonly used by IPSec-based VPNs.

During an IKE exchange, some IKE implementations do not properly handle exceptional response packets. The report enumerates several cases:

  • IKE represents the ISAKMP security association (SA) in the Security Paramater Index (SPI) field of a response packet. An overly large SPI payload value could trigger a buffer overflow.
  • An IKE response packet with a large number of payloads or an overly large payload could trigger buffer overflows.
  • An IKE response packet with a payload length of zero could cause vulnerable IKE implementations to consume CPU resources, causing a denial-of-service condition.
These problems have been shown to exist in IPSec-based VPN client software operating in Aggressive Mode during a phase 1 IKE exchange. Other software and other types of exchanges may also be affected.

II. Impact

An attacker who is able to send solicited IKE responses could execute arbitrary code with the privileges of the IKE service or cause a denial of service. The attacker must act as an IKE responder, so therefore must have control over the responder, the ability to spoof IKE response packets, or the ability to redirect the IKE initiator to a responder controlled by the attacker.

III. Solution

Upgrade or Patch

Upgrade or apply a patch to vulnerable IKE software as specified by your vendor.

Block or Restrict Access

Using a firewall or other packet filtering technology, block or restrict access to the IKE service, 500/udp. Note that blocking access will effectively disable an IPSec-based VPN that relies on IKE for key exchange.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Not Vulnerable6-Aug-2002
AvayaUnknown13-Aug-2002
Cisco Systems Inc.Vulnerable9-Aug-2002
ClavisterNot Vulnerable5-Sep-2002
Cray Inc.Not Vulnerable6-Aug-2002
Data GeneralUnknown3-Jul-2002
DebianUnknown3-Jul-2002
F-SecureUnknown5-Aug-2002
FreeBSDNot Vulnerable5-Sep-2002
FreeS/WANUnknown15-May-2002
FujitsuNot Vulnerable12-Aug-2002
Guardian Digital Inc. Unknown3-Jul-2002
Hewlett-Packard CompanyNot Vulnerable5-Feb-2003
HitachiNot Vulnerable5-Sep-2002
IBMNot Vulnerable11-Dec-2002
KAME ProjectNot Vulnerable12-Aug-2002
MandrakeSoftUnknown3-Jul-2002
Microsoft CorporationNot Vulnerable12-Aug-2002
NEC CorporationNot Vulnerable24-Jun-2003
NetBSDNot Vulnerable5-Sep-2002
NetScreenVulnerable5-Feb-2003
Network AssociatesVulnerable10-Sep-2002
NISTNot Vulnerable12-Aug-2002
Nortel NetworksNot Vulnerable20-Aug-2002
OpenBSDVulnerable5-Feb-2003
PGPVulnerable5-Sep-2002
Red Hat Inc.Not Vulnerable16-Aug-2002
SafeNetVulnerable20-Aug-2002
SequentUnknown3-Jul-2002
SGINot Vulnerable12-Aug-2002
SonicWALL Inc.Vulnerable1-Apr-2003
Sony CorporationUnknown3-Jul-2002
SSH Communications SecurityNot Vulnerable12-Aug-2002
Sun Microsystems Inc.Not Vulnerable5-Aug-2002
SuSE Inc.Not Vulnerable12-Aug-2002
The SCO Group (SCO Linux)Unknown3-Jul-2002
UnisysUnknown3-Jul-2002
Wind River Systems Inc.Unknown3-Jul-2002

References


http://www.ietf.org/html.charters/ipsec-charter.html
http://www.ietf.org/rfc/rfc2408.txt
http://www.ietf.org/rfc/rfc2409.txt
http://www.ietf.org/rfc/rfc2412.txt
http://www.vpnc.org/
http://online.securityfocus.com/bid/5440
http://online.securityfocus.com/bid/5441
http://online.securityfocus.com/bid/5443
http://www.securityfocus.com/bid/5449
http://www.securityfocus.com/bid/5668
http://ikecrack.sourceforge.net/
http://www.nta-monitor.com/ike-scan/

Credit

The CERT/CC thanks Anton Rager of Avaya Security Consulting Services from Avaya, Inc. for reporting this vulnerability and providing information used in this document.

This document was written by Art Manion.

Other Information

Date Public:2002-08-14
Date First Published:2002-08-12
Date Last Updated:2004-02-09
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:1.03
Document Revision:52

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader