Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13646
HistoryJul 27, 2006 - 12:00 a.m.

RE: [Full-disclosure] Cisco VPN Concentrator IKE resource exhaustionDoS Advisory

2006-07-2700:00:00
vulners.com
63

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello:

    This is a Cisco PSIRT response to an advisory published by an

unaffiliated third party, Roy Hills, of NTA Monitor Ltd posted as of
July 26, 2006 at
http://www.nta-monitor.com/posts/2006/07/cisco-concentrator-dos.html,
and entitled: Cisco VPN Concentrator IKE resource exhaustion DoS.

    This issue is being tracked by the following Cisco Bug IDs:

      * CSCse70811 (Cisco IOS software)

      * CSCdt92467 (Cisco VPN 3000 Concentrators)

      * CSCsb51032 (Cisco PIX firewalls)

    We thank Roy Hills from NTA Monitor Ltd for reporting this issue

to
Cisco. We greatly appreciate the opportunity to work with researchers
on security vulnerabilities, and welcome the opportunity to review
and assist in product reports.

    The attack against the Internet Key Exchange (IKE) protocol

described in the NTA Monitor advisory exploits the stateless nature
of the IKE version 1 protocol. The goal of such an attack is to
deplete the resources available on a device to negotiate IKE security
associations, and block legitimate users from establishing a new
security association.

    This vulnerability is not related to a specific vendor

implementation, but to underlying issues in the IKE protocol, and may
affect any device which implements IKE version 1. Cisco devices
implementing IKE version 1 include the PIX and ASA security
appliances, Cisco IOS software, and the VPN 3000 Series
Concentrators.

    Customers running Cisco IOS software can mitigate this

vulnerability
by implementing the feature "Call Admission Control for IKE".
Additional information on this feature can be found at
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_featur
e_guide09186a0080229125.html .

    There are no workarounds to mitigate this vulnerability for

other
affected devices.

    Cisco will continue to investigate the possibility of

implementing
software workarounds to minimize the impact of this vulnerability.

    Cisco's statement and further information are available on the

Cisco
public website at
http://www.cisco.com/warp/public/707/cisco-sr-20060726-ike.shtml

    Contact [email protected] with any questions regarding this issue.

    Regards,
    Dario

> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf
> Of Roy Hills
> Sent: Wednesday, July 26, 2006 9:58 AM
> To: [email protected]
> Subject: [Full-disclosure] Cisco VPN Concentrator IKE
> resource exhaustionDoS Advisory
>
> Cisco VPN Concentrator IKE resource exhaustion DoS Advisory
>
> 1. Overview
>
> NTA Monitor discovered a denial of service vulnerability in the
> Cisco VPN 3000 series concentrator products while performing a VPN
> security test for a customer in July 2005.
>
> The vulnerability affects Phase-1 of the IKE protocol. Both Main
> Mode and Aggressive Mode over both UDP and TCP transports are
> affected.
>
> The vulnerability allows an attacker to exhaust the IKE resources
> on a VPN concentrator by sending a high rate of IKE requests,
> which will prevent valid clients from connected or re-keying. The
> attack does not require a high bandwidth, so one attacker could
> potentially
> target many concentrators.
>
> This mechanism behind this vulnerability is similar to the
> well-known TCP SYN flood vulnerability.
>
> 2. Vulnerability Details
>
> The vulnerability allows an attacker to exhaust the IKE resources
> on a remote VPN concentrator by starting new IKE sessions faster
> than the concentrator expires them from its queue. By doing this,
> the
> attacker fills up the concentrator's queue, which prevents it from
> handling valid IKE requests.
>
> The exploit involves sending IKE Phase-1 packets containing an
> acceptable transform. It is not necessary to have valid credentials
> in order to exploit this vulnerability, as the problem occurs
> before the authentication stage. The vulnerability affects both
> Main Mode and Aggressive Mode, and both normal IKE over UDP and
> Cisco
> proprietary TCP-encapsulated IKE.
>
> In order to exploit the vulnerability, the attacker needs to send
> IKE packets at a rate which exceeds the Concentrator's IKE session
> expiry rate. Tests show that the target concentrator starts to be
> affected at a rate of 2 packets per second, and is becomes
> unusable at 10
> packets per second. As a minimal Main Mode packet with a single
> transform is 112 bytes long, 10 packets per second corresponds to a
> data rate of slightly less than 9,000 bits per second.
>
> The concentrator will remain unable to process IKE requests as long
> as the flow of packets continues. Once the flow stops, the
> concentrator will return to normal operation as the
> negotiation queue drains.
>
> It is not normally possible to block public inbound access to the
> IKE service on the VPN concentrator, because it is required for
> remote access IPsec operation. As IKE normally uses the UDP
> transport
> protocol, the attacker may forge the packet's source IP address to
> avoid identification, or to prevent the victim from blocking the
> traffic with ingress filtering. In addition, IDS/IPS systems will
> probably not be able to detect the attack, because the packets are
> valid IKE packets.
>
> It is possible for attackers to detect and fingerprint Cisco VPN
> concentrators using the IKE fingerprinting techniques that we have
> previously published in VPN security white papers. Therefore users
> should not assume that their concentrator is invisible just because
> it's not published in the DNS and is not running any TCP services.
>
>
> The symptoms are that the target concentrator won't respond to IKE
> requests from any source when all the negotiation slots are filled.
> This means that new clients will be unable to connect, and Phase-1
> re-keying attempts will fail. It is not known if Phase-2 re-keying
> is also affected. Traffic over existing VPN tunnels should not be
> affected until they need to re-key.
>
> The mechanism behind this vulnerability is similar to that behind
> the well-known TCP SYN flood issue. In both cases the target
> system has a stateful mechanism for recording outstanding
> negotiations, uses a fixed-size list to store negotiations in
> progress, and does not
> require any authentication in order to start a negotiation.
>
> 3. Example
>
> We are not planning to release examples of how to exploit this
> vulnerability until it has been addressed and users have had an
> opportunity to apply the fix or workaround.
>
> 4. Affected Versions
>
> The issue is believed to affect all models of Cisco VPN 3000
> Concentrator: 3005, 3015, 3020, 3030, 3060 and 3080. It is
> suspected that other cisco products that support IKE may also be
> affected, but this has not been confirmed.
>
> 5. Solution
>
> There is no known fix or workaround at this time.
>
> 6. Timeline
>
> The vulnerability was first discovered on 4th July 2005, and was
> reported to Cisco's security team (PSIRT) the same day. Cisco
> responded on 9th August 2005, but no further progress has been
> made.
>
> 7. References
>
> NTA Monitor advisory
> http://www.nta-monitor.com/posts/2006/07/cisco-concentrator-dos.html
>
>
> Roy Hills
> NTA Monitor Ltd
>
>
> –
> Roy Hills Tel: +44 1634 721855
> NTA Monitor Ltd FAX: +44 1634 721844
> 14 Ashford House, Beaufort Court,
> Medway City Estate, Email:
> [email protected]
> Rochester, Kent ME2 4FA,
> UK WWW: http://www.nta-monitor.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRMeuUIyVGB+6GuDwEQIfAQCgvC8UWYlqZJjYPNE3TLD1YyKpi/MAoIJi
iY86VI1j1eq6148omyMlewqt
=1f3K
-----END PGP SIGNATURE-----


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/