search menu icon-carat-right cmu-wordmark

CERT Coordination Center

IKE/IKEv2 protocol implementations may allow network amplification attacks

Vulnerability Note VU#419128

Original Release Date: 2016-02-29 | Last Revised: 2017-07-18

Overview

Implementations of the IKEv2 protocol are vulnerable to network amplification attacks.

Description

CWE-406: Insufficient Control of Network Message Volume (Network Amplification)

IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900% may be obtained from IKEv2 server implementations.

More details are provided in a white paper from the researcher.

Impact

An unauthenticated remote attacker may leverage the vulnerable IKE/IKEv2 server to conduct a distributed reflective denial-of-service (DRDoS) attack on another user.

Solution

The CERT/CC is currently unaware of a full solution to this problem. Some vendors have addressed this issue separately; please see the affected vendors list below.

Please consider one of the workarounds listed below.

A full solution may require revisions to RFC 7296 and/or RFC 2408.

Perform Egress Filtering

Configure your router/firewall to perform egress filtering, which may help to mitigate attacks that utilize source IP spoofing. Please refer to your product's documentation for instructions on how to perform egress filtering.

Vendor Information

419128
 
Affected   Unknown   Unaffected

Oracle Corporation

Notified:  February 12, 2016 Updated:  July 18, 2017

Statement Date:   July 14, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Oracle has provided a critical security patch for this issue, and assigned CVE-2017-10042 for it.

GNU glibc

Notified:  February 12, 2016 Updated:  February 15, 2016

Statement Date:   February 12, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation

Notified:  February 12, 2016 Updated:  March 04, 2016

Statement Date:   March 03, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Microsoft does not believe any of its products are directly affected.

ACCESS

Notified:  February 12, 2016 Updated:  February 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    AT&T

    Notified:  February 12, 2016 Updated:  February 12, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Alcatel-Lucent

      Notified:  February 12, 2016 Updated:  February 12, 2016

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Apple

        Notified:  February 12, 2016 Updated:  February 12, 2016

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Arch Linux

          Notified:  February 12, 2016 Updated:  February 12, 2016

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Arista Networks, Inc.

            Notified:  February 12, 2016 Updated:  February 12, 2016

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Aruba Networks

              Notified:  February 12, 2016 Updated:  February 12, 2016

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Avaya, Inc.

                Notified:  February 12, 2016 Updated:  February 12, 2016

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Belkin, Inc.

                  Notified:  February 12, 2016 Updated:  February 12, 2016

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Brocade Communication Systems

                    Notified:  February 12, 2016 Updated:  February 12, 2016

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      CA Technologies

                      Notified:  February 12, 2016 Updated:  February 12, 2016

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        CentOS

                        Notified:  February 12, 2016 Updated:  February 12, 2016

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          Check Point Software Technologies

                          Notified:  February 12, 2016 Updated:  February 12, 2016

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            Cisco

                            Notified:  February 12, 2016 Updated:  February 12, 2016

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              CoreOS

                              Notified:  February 12, 2016 Updated:  February 12, 2016

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                D-Link Systems, Inc.

                                Notified:  February 12, 2016 Updated:  February 12, 2016

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  Debian GNU/Linux

                                  Notified:  February 12, 2016 Updated:  February 12, 2016

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    DesktopBSD

                                    Notified:  February 12, 2016 Updated:  February 12, 2016

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      DragonFly BSD Project

                                      Notified:  February 12, 2016 Updated:  February 12, 2016

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        EMC Corporation

                                        Notified:  February 12, 2016 Updated:  February 12, 2016

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          Enterasys Networks

                                          Notified:  February 12, 2016 Updated:  February 12, 2016

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Ericsson

                                            Notified:  February 12, 2016 Updated:  February 12, 2016

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              European Registry for Internet Domains

                                              Notified:  February 12, 2016 Updated:  February 12, 2016

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                Extreme Networks

                                                Notified:  February 12, 2016 Updated:  February 12, 2016

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  F5 Networks, Inc.

                                                  Notified:  February 12, 2016 Updated:  February 12, 2016

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    Fedora Project

                                                    Notified:  February 12, 2016 Updated:  February 12, 2016

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      Force10 Networks

                                                      Notified:  February 12, 2016 Updated:  February 12, 2016

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        Fortinet, Inc.

                                                        Notified:  February 12, 2016 Updated:  February 12, 2016

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          Foundry Brocade

                                                          Notified:  February 12, 2016 Updated:  February 12, 2016

                                                          Status

                                                            Unknown

                                                          Vendor Statement

                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                          Vendor References

                                                            FreeBSD Project

                                                            Notified:  February 12, 2016 Updated:  February 12, 2016

                                                            Status

                                                              Unknown

                                                            Vendor Statement

                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                            Vendor References

                                                              Gentoo Linux

                                                              Notified:  February 12, 2016 Updated:  February 12, 2016

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                              Vendor References

                                                                Google

                                                                Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                Status

                                                                  Unknown

                                                                Vendor Statement

                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                Vendor References

                                                                  Hardened BSD

                                                                  Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                  Status

                                                                    Unknown

                                                                  Vendor Statement

                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                  Vendor References

                                                                    Hewlett Packard Enterprise

                                                                    Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                    Status

                                                                      Unknown

                                                                    Vendor Statement

                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                    Vendor References

                                                                      Hitachi

                                                                      Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor References

                                                                        Huawei Technologies

                                                                        Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                        Status

                                                                          Unknown

                                                                        Vendor Statement

                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                        Vendor References

                                                                          IBM Corporation

                                                                          Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                          Status

                                                                            Unknown

                                                                          Vendor Statement

                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                          Vendor References

                                                                            IBM eServer

                                                                            Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor References

                                                                              Infoblox

                                                                              Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                              Status

                                                                                Unknown

                                                                              Vendor Statement

                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                              Vendor References

                                                                                Intel Corporation

                                                                                Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                Status

                                                                                  Unknown

                                                                                Vendor Statement

                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                Vendor References

                                                                                  Internet Systems Consortium

                                                                                  Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                  Status

                                                                                    Unknown

                                                                                  Vendor Statement

                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                  Vendor References

                                                                                    Internet Systems Consortium - DHCP

                                                                                    Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                    Status

                                                                                      Unknown

                                                                                    Vendor Statement

                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                    Vendor References

                                                                                      JH Software

                                                                                      Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                      Status

                                                                                        Unknown

                                                                                      Vendor Statement

                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                      Vendor References

                                                                                        Juniper Networks

                                                                                        Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                        Status

                                                                                          Unknown

                                                                                        Vendor Statement

                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                        Vendor References

                                                                                          McAfee

                                                                                          Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                          Status

                                                                                            Unknown

                                                                                          Vendor Statement

                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                          Vendor References

                                                                                            NEC Corporation

                                                                                            Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                            Status

                                                                                              Unknown

                                                                                            Vendor Statement

                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                            Vendor References

                                                                                              NLnet Labs

                                                                                              Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                              Status

                                                                                                Unknown

                                                                                              Vendor Statement

                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                              Vendor References

                                                                                                NetBSD

                                                                                                Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                Status

                                                                                                  Unknown

                                                                                                Vendor Statement

                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                Vendor References

                                                                                                  Nokia

                                                                                                  Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                  Status

                                                                                                    Unknown

                                                                                                  Vendor Statement

                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                  Vendor References

                                                                                                    Nominum

                                                                                                    Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                    Status

                                                                                                      Unknown

                                                                                                    Vendor Statement

                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                    Vendor References

                                                                                                      OmniTI

                                                                                                      Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                      Status

                                                                                                        Unknown

                                                                                                      Vendor Statement

                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                      Vendor References

                                                                                                        OpenBSD

                                                                                                        Notified:  February 12, 2016 Updated:  March 01, 2016

                                                                                                        Status

                                                                                                          Unknown

                                                                                                        Vendor Statement

                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                        Vendor Information

                                                                                                        OpenBSD has their own from-scratch IKE daemon:
                                                                                                        <http://www.openiked.org/>

                                                                                                        It is currently unclear if this daemon is vulnerable or has been patched.

                                                                                                        OpenDNS

                                                                                                        Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                        Status

                                                                                                          Unknown

                                                                                                        Vendor Statement

                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                        Vendor References

                                                                                                          Openwall GNU/*/Linux

                                                                                                          Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                          Status

                                                                                                            Unknown

                                                                                                          Vendor Statement

                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                          Vendor References

                                                                                                            PC-BSD

                                                                                                            Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                            Status

                                                                                                              Unknown

                                                                                                            Vendor Statement

                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                            Vendor References

                                                                                                              Peplink

                                                                                                              Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                              Status

                                                                                                                Unknown

                                                                                                              Vendor Statement

                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                              Vendor References

                                                                                                                PowerDNS

                                                                                                                Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                Status

                                                                                                                  Unknown

                                                                                                                Vendor Statement

                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                Vendor References

                                                                                                                  Q1 Labs

                                                                                                                  Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                  Status

                                                                                                                    Unknown

                                                                                                                  Vendor Statement

                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                  Vendor References

                                                                                                                    QNX Software Systems Inc.

                                                                                                                    Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                    Status

                                                                                                                      Unknown

                                                                                                                    Vendor Statement

                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                    Vendor References

                                                                                                                      Red Hat, Inc.

                                                                                                                      Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                      Status

                                                                                                                        Unknown

                                                                                                                      Vendor Statement

                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                      Vendor References

                                                                                                                        SUSE Linux

                                                                                                                        Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                        Status

                                                                                                                          Unknown

                                                                                                                        Vendor Statement

                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                        Vendor References

                                                                                                                          SafeNet

                                                                                                                          Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                          Status

                                                                                                                            Unknown

                                                                                                                          Vendor Statement

                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                          Vendor References

                                                                                                                            Secure64 Software Corporation

                                                                                                                            Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                            Status

                                                                                                                              Unknown

                                                                                                                            Vendor Statement

                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                            Vendor References

                                                                                                                              Slackware Linux Inc.

                                                                                                                              Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                              Status

                                                                                                                                Unknown

                                                                                                                              Vendor Statement

                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                              Vendor References

                                                                                                                                SmoothWall

                                                                                                                                Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                Status

                                                                                                                                  Unknown

                                                                                                                                Vendor Statement

                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                Vendor References

                                                                                                                                  Snort

                                                                                                                                  Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                  Status

                                                                                                                                    Unknown

                                                                                                                                  Vendor Statement

                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                  Vendor References

                                                                                                                                    Sony Corporation

                                                                                                                                    Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                    Status

                                                                                                                                      Unknown

                                                                                                                                    Vendor Statement

                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                    Vendor References

                                                                                                                                      Sourcefire

                                                                                                                                      Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                      Status

                                                                                                                                        Unknown

                                                                                                                                      Vendor Statement

                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                      Vendor References

                                                                                                                                        Symantec

                                                                                                                                        Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                        Status

                                                                                                                                          Unknown

                                                                                                                                        Vendor Statement

                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                        Vendor References

                                                                                                                                          TippingPoint Technologies Inc.

                                                                                                                                          Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                          Status

                                                                                                                                            Unknown

                                                                                                                                          Vendor Statement

                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                          Vendor References

                                                                                                                                            Turbolinux

                                                                                                                                            Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                            Status

                                                                                                                                              Unknown

                                                                                                                                            Vendor Statement

                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                            Vendor References

                                                                                                                                              Ubuntu

                                                                                                                                              Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                              Status

                                                                                                                                                Unknown

                                                                                                                                              Vendor Statement

                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                              Vendor References

                                                                                                                                                Unisys

                                                                                                                                                Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                                Status

                                                                                                                                                  Unknown

                                                                                                                                                Vendor Statement

                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                Vendor References

                                                                                                                                                  VMware

                                                                                                                                                  Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                                  Status

                                                                                                                                                    Unknown

                                                                                                                                                  Vendor Statement

                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                  Vendor References

                                                                                                                                                    Wind River

                                                                                                                                                    Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                                    Status

                                                                                                                                                      Unknown

                                                                                                                                                    Vendor Statement

                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                    Vendor References

                                                                                                                                                      ZyXEL

                                                                                                                                                      Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                                      Status

                                                                                                                                                        Unknown

                                                                                                                                                      Vendor Statement

                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                      Vendor References

                                                                                                                                                        dnsmasq

                                                                                                                                                        Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                                        Status

                                                                                                                                                          Unknown

                                                                                                                                                        Vendor Statement

                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                        Vendor References

                                                                                                                                                          gdnsd

                                                                                                                                                          Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                                          Status

                                                                                                                                                            Unknown

                                                                                                                                                          Vendor Statement

                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                          Vendor References

                                                                                                                                                            m0n0wall

                                                                                                                                                            Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                                            Status

                                                                                                                                                              Unknown

                                                                                                                                                            Vendor Statement

                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                            Vendor References

                                                                                                                                                              openSUSE project

                                                                                                                                                              Notified:  February 12, 2016 Updated:  February 12, 2016

                                                                                                                                                              Status

                                                                                                                                                                Unknown

                                                                                                                                                              Vendor Statement

                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                              Vendor References

                                                                                                                                                                View all 83 vendors View less vendors


                                                                                                                                                                CVSS Metrics

                                                                                                                                                                Group Score Vector
                                                                                                                                                                Base 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C
                                                                                                                                                                Temporal 6.7 E:POC/RL:W/RC:C
                                                                                                                                                                Environmental 6.7 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

                                                                                                                                                                References

                                                                                                                                                                Acknowledgements

                                                                                                                                                                Thanks to Chad Seaman of Akamai for reporting this vulnerability.

                                                                                                                                                                This document was written by Garret Wassermann.

                                                                                                                                                                Other Information

                                                                                                                                                                CVE IDs: None
                                                                                                                                                                Date Public: 2016-02-25
                                                                                                                                                                Date First Published: 2016-02-29
                                                                                                                                                                Date Last Updated: 2017-07-18 15:42 UTC
                                                                                                                                                                Document Revision: 34

                                                                                                                                                                Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.