Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IPSEC / ISAKMP Vulnerability wrapup

Published: 2005-11-14
Last Updated: 2005-11-14 22:45:25 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
This diary is intended to provide a higher level overview about this issue in addition to the earlier "blow by blow" diary.

How serious is all of this?
The world an the Internet will continue to turn. This issue is however very important to you if you are using an IPSEC VPN. At this point, all points to this being a DOS only vulnerability. Your IPSEC concentrator may reboot or lock up. While this is not as severe as remote code execution, it can still break a business if critical network links are impacted.

Who is Impacted?
If you are using IPSEC, check with your vendor to make sure. Cisco, Juniper, Secgo and OpenSWAN released patches. In particular OpenSWAN may be used in many Linux and BSD based appliances. See the earlier diary for a list of firmwares. ISAKMP and IPSEC have to be enabled.

What is "ISAKMP"?
ISAKMP is used as part of the IPSEC protocol. It is used to establish "Security Associations". Each IPSEC connection is defined by a Security Association. ISAKMP is used to figure out what kind of encryption to use. In order to do this, it exchanges key generation and authentication data. Think of ISAKMP as the connection you establish ahead of the actual IPSEC connection. Only once ISAKMP worked out the details, you typically establish the IPSEC connection.
ISAKMP uses UDP packets with a source and target port of 500.

Why is it broken?
ISAKMP, in its nature, is rather complex and flexible. A group at the University of Oulu (Finland) developed a test suite to generate abnormal ISAKMP traffic. As they  used this test suite against various IPSEC implementations, they found them to be vulnerable. The PROTOS test suite has been used with similar results against other protocols like SMNP before.

Is all Port 500 UDP Traffic Bad?
No. You will see plenty of port 500/udp traffic hitting your firewall just as a matter of "doing packets". Some systems, in particular later versions of Windows, will attempt to create an IPSEC connection before establishing any "regular" connection. So your web server may see a lot of port 500 udp traffic from innocent systems like that. ISAKMP is used to negotiate an IPSEC connection, so it can be used to see if you can establish an IPSEC connection with a remote host. It will fall back to a regular non-IPSEC connection if permitted (which is the default).

Where can I find out more?
Get all the gory details about PROTOS from the University of Oulu:
http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp/

NISCC, who coordinated the vulnerability release, posted an advisory here:
http://www.uniras.gov.uk/niscc/docs/br-20051114-01013.html?lang=en

The prior diary, with more links, can be found here:
http://isc.sans.org/diary.php?storyid=848

Thanks to all the other handlers who help to decipher the various advisories.



Keywords:
0 comment(s)
Diary Archives