Cisco VPNs Open To Denial-Of-Service Attacks: Researcher - InformationWeek

Cisco VPNs Open To Denial-Of-Service Attacks: Researcher

The vulnerability lies in the Internet Key Exchange protocol, which enables remote IPSec VPN access. The flaw could allow an attacker to cripple a VPN 3000 Series concentrator by flooding it with IKE requests and preventing it from handling legitimate traffic, according to a security researcher.

A flaw in one of the protocols used by Cisco Systems' VPN 3000 Series concentrators could open up the devices to denial-of-service attacks.

The vulnerability lies in the Internet Key Exchange (IKE) Protocol, which enables remote IPsec VPN access. The flaw could allow an attacker to cripple a VPN 3000 Series concentrator by flooding it with IKE requests and making it unable to handle legitimate traffic, according to security researcher Roy Hills of U.K.-based security research firm NTA Monitor, who discovered the vulnerability last July and posted his findings to the Full Disclosure mailing list Wednesday.

Attackers don't need to be logged in to exploit the flaw because the problem occurs before the authentication stage, Hills wrote. Also, intrusion detection and prevention systems are likely to be ineffective because the traffic consists of genuine IKE packets, he said.

Cisco's VPN 3000 Series concentrators are designed for enterprise deployments and can support 200 to 10,000 simultaneous IPSec remote access users.

In an advisory issued Wednesday, Cisco's Product Security Incident Response Team (PSIRT) said the vulnerability is in version 1 of the IKE protocol and isn't related to vendor-specific hardware. Other Cisco products that use IKE version 1 include the Adaptive Security Appliance (ASA) line, PIX firewall and Cisco Internetworking Operating System (IOS) software.

Cisco IOS customers can protect themselves by implementing Call Admission Control (CAC) for IKE, which caps the number of simultaneous connections on a router, according to the advisory.

Although Cisco will continue to study possible software workarounds to mitigate the impact of the flaw, Mike Caudill, incident manager at Cisco's PSIRT, said a patch will be difficult to develop.

"This is one that isn't easily patched because it's an issue with the protocol itself. It's more of an industrywide protocol issue rather than a Cisco-specific issue," Caudill said.

In January, Cisco patched a flaw in the VPN 3000 Series concentrator line that could have allowed a malicious user to send a crafted HTTP packet designed to trigger a denial-of-service attack.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Don't Collect Biometric Data Without Providing Notice
Lisa Morgan, Freelance Writer,  2/1/2019
AI and the Next Recession
Guest Commentary, Guest Commentary,  1/24/2019
The Title Machine Learning Engineer Will Start to Disappear
Guest Commentary, Guest Commentary,  2/7/2019
Register for InformationWeek Newsletters
Current Issue
Security and Privacy vs. Innovation: The Great Balancing Act
This InformationWeek IT Trend Report will help you better understand and address the growing challenge of balancing the need for innovation with the real-world threats and regulations.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll