Cisco IKE Resource Exhaustion Attack

Published: 2006-07-27
Last Updated: 2006-07-27 12:44:05 UTC
by Chris Carboni (Version: 1)
0 comment(s)
Fred sent us a note after recieving e-mail from Cisco.

""The attack against the Internet Key Exchange (IKE) protocol described in the NTA Monitor advisory exploits the stateless nature of the IKE version 1 protocol. The goal of such an attack is to deplete the resources available on a device to negotiate IKE security associations, and block legitimate users from establishing a new security association.""

Cisco states "This vulnerability is not related to a specific vendor implementation, but to underlying issues in the IKE protocol, and may affect any device which implements IKE version"

There is a workaround available for IOS, but not for any other Cisco products.

Cisco's full response can be found here.

Check with your vendor for other systems you have that use IKE version 1.

0 comment(s)


Diary Archives