Overview
Implementations of the IKEv2 protocol are vulnerable to network amplification attacks.
Description
CWE-406: Insufficient Control of Network Message Volume (Network Amplification) IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900% may be obtained from IKEv2 server implementations. |
Impact
An unauthenticated remote attacker may leverage the vulnerable IKE/IKEv2 server to conduct a distributed reflective denial-of-service (DRDoS) attack on another user. |
Solution
The CERT/CC is currently unaware of a full solution to this problem. Some vendors have addressed this issue separately; please see the affected vendors list below. |
Perform Egress Filtering |
Vendor Information
Oracle Corporation Affected
Notified: February 12, 2016 Updated: July 18, 2017
Statement Date: July 14, 2017
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Oracle has provided a critical security patch for this issue, and assigned CVE-2017-10042 for it.
GNU glibc Not Affected
Notified: February 12, 2016 Updated: February 15, 2016
Statement Date: February 12, 2016
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Microsoft Corporation Not Affected
Notified: February 12, 2016 Updated: March 04, 2016
Statement Date: March 03, 2016
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Microsoft does not believe any of its products are directly affected.
ACCESS Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
AT&T Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Alcatel-Lucent Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Apple Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Arch Linux Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Arista Networks, Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Aruba Networks Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Avaya, Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Belkin, Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Brocade Communication Systems Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CA Technologies Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CentOS Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Check Point Software Technologies Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Cisco Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CoreOS Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
D-Link Systems, Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Debian GNU/Linux Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DesktopBSD Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DragonFly BSD Project Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
EMC Corporation Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Enterasys Networks Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ericsson Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
European Registry for Internet Domains Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Extreme Networks Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
F5 Networks, Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Fedora Project Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Force10 Networks Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Fortinet, Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Foundry Brocade Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
FreeBSD Project Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Gentoo Linux Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Google Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hardened BSD Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hewlett Packard Enterprise Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hitachi Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Huawei Technologies Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM Corporation Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM eServer Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Infoblox Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Intel Corporation Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Internet Systems Consortium Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Internet Systems Consortium - DHCP Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
JH Software Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Juniper Networks Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
McAfee Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NEC Corporation Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NLnet Labs Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NetBSD Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Nokia Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Nominum Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OmniTI Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OpenBSD Unknown
Notified: February 12, 2016 Updated: March 01, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
OpenBSD has their own from-scratch IKE daemon:
<http://www.openiked.org/>
It is currently unclear if this daemon is vulnerable or has been patched.
OpenDNS Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Openwall GNU/*/Linux Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
PC-BSD Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Peplink Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
PowerDNS Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Q1 Labs Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
QNX Software Systems Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Red Hat, Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SUSE Linux Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SafeNet Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Secure64 Software Corporation Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Slackware Linux Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SmoothWall Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Snort Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sony Corporation Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sourcefire Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Symantec Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
TippingPoint Technologies Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Turbolinux Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ubuntu Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Unisys Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
VMware Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Wind River Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
ZyXEL Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
dnsmasq Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
gdnsd Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
m0n0wall Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
openSUSE project Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.8 | AV:N/AC:L/Au:N/C:N/I:N/A:C |
| Temporal | 6.7 | E:POC/RL:W/RC:C |
| Environmental | 6.7 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Chad Seaman of Akamai for reporting this vulnerability.
This document was written by Garret Wassermann.
Other Information
| CVE IDs: | None |
| Date Public: | 2016-02-25 |
| Date First Published: | 2016-02-29 |
| Date Last Updated: | 2017-07-18 15:42 UTC |
| Document Revision: | 35 |