Updated:  August 20, 2003

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

@stake has indicated that Nokia sent the following text to their customers. ---[Nokia Notice]--- NOKIA CUSTOMER CONFIDENTIAL, GGSN RELEASE 1 VULNERABILITY Under exceptional circumstances Nokia GGSN release 1 is potentially vulnerable to a "Denial Of Service" style of attack from a malicious user equipped with a computer and a mobile phone. When the vulnerability is exploited the GGSN restarts. There is no damage to the configuration, but some charging data may be lost. Changing a normal Access Point to tunneled (GRE or IP in IP) prevents the attacks from mobile user side. The same applies for the Gi interface though routers and firewalls would normally drop this kind of packets. The problem has been detected and reported by @stake and has been reproduced by Nokia in collaboration with @stake. Nokia and @stake are jointly working to eliminate the problem. This vulnerability is corrected in IPSO version 3.4 and all subsequent versions. Thus, GGSN release 2 is not vulnerable, GGSN release 1 is. Nokia advices all the customers still running GGSN release level 1 to upgrade on GGSN release level 2. As an interim measure operators can perform the following preventative configuration changes to their networks. Ensure that all IP packets with non standard IP options are dropped by boarder firewalls on the Gi interface. Within the Gn network ensure that the GTP aware firewall (if present) also drops all encapsulated IP packets with non standard IP options. This may introduce latency however it will mitigate against the attack until the patch has been fully deployed and tested. Due to the severity of this vulnerability @stake has confirmed that they will not be releasing this information publicly on their research page (http://www.atstake.com/research/) until Nokia has confirmed that all affected operators have fully patched and tested all affected elements. However @stake would ideally like to release this information no later than 1st June 2003. Neither @stake nor Nokia are aware of this attack being used in the wild as it was discovered by @stake within a lab environment and subsequently tested on a number of operators for whom they have worked for. ---[End Nokia Notice]---