===================================================================== CERT-Renater Note d'Information No. 2005/VULN707 _____________________________________________________________________ DATE : 15/11/2005 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running ISAKMP implementations. ====================================================================== CERT-FI and NISCC Joint Vulnerability Advisory ISAKMP Multiple Vulnerability Issues in Implementation of ISAKMP Protocol Version Information - ------------------- Advisory Reference CERT-FI: 7710 NISCC: 273756/NISCC/ISAKMP Release Date 14 November 2005 Last Revision 14 November 2005 Version Number 1.0 Acknowledgement - --------------- This issue was identified by the Oulu University Secure Programming Group (OUSPG) from the University of Oulu in Finland. What is Affected? - ----------------- The vulnerabilities described in this advisory affect the Internet Security Association and Key Management Protocol (ISAKMP), which is used to provide associations for other security protocols. Internet Key Exchange version 1 (IKEv1), a derivate of ISAKMP, is an important part of IPsec. IPsec is widely used to secure exchange of packets at the IP layer and mostly used to implement Virtual Private Networks (VPNs). In addition to dedicated VPN-products, ISAKMP/IKE support has also been included in many operating system distribution packages and some firewall products. Impact - ------ The severity of these vulnerabilities varies by vendor, please see the "Vendor Information" section below for further information or contact your vendor for product specific information. These flaws may expose Denial-of-Service conditions, format string vulnerabilities, and buffer overflows. In some cases, it may be possible for an attacker to execute code. ISAKMP/IKE client applications may be harder to attack than server applications because in some cases, it may be required that clients initialise the negotiation. Summary - ------- During 2002 OUSPG discovered a number of implementation specific vulnerabilities in the Simple Network Management Protocol (SNMP). Further work has been done to identify implementation specific vulnerabilities in related protocols that are used in critical infrastructure. The ISAKMP protocol, an important part of the IPsec protocol which is widely used in critical infrastructure, was studied as part of this program of work. OUSPG has developed a PROTOS ISAKMP Test Suite for IKEv1 Phase 1 and employed it to validate their findings against a number of products from different vendors. CERT-FI and NISCC has contacted multiple vendors whose products employ ISAKMP/IKE and provided them with the test tool to allow them to test their implementations. These vendors' product line covers most of the existing IPsec based VPN-products in the market. [Please note that revisions to this advisory will not be notified by email. All subscribers are advised to regularly check the NISCC website (http://www.niscc.gov.uk/niscc/vulnAdv-en.html) for updates to this notice.] Details - -------- The ISAKMP protocol is an international standard protocol, published by the Internet Engineering Task Force (IETF). ISAKMP is designed to establish, negotiate, modify and delete Security Associations (SA). SAs contain all the information required for execution of various network security services. ISAKMP provides a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism. IKEv1, a derivate of ISAKMP, is a key protocol in the Internet Security Architecture (IPsec). IKEv1 is the most widely used version of the Internet Key Exchange protocol. Please note that the OUSPG PROTOS ISAKMP Test Suite does not test Internet Key Exchange version 2 (IKEv2). ISAKMP consists of two phases. In phase 1, the two parties negotiate a SA to agree on how to protect the traffic in the next phase. In phase 2 keying material is derived and the policy to share it is negotiated. In this way, security associations for other security protocols are established. Multiple ISAKMP implementations behave in anomalous way when they receive and handle ISAKMP Phase 1 packets with invalid and/or abnormal contents. By applying the OUSPG PROTOS ISAKMP Test Suite to a variety of products, several vulnerabilities can be revealed that can have varying effects. Mitigation - ---------- The following suggestions are recommended as methods to mitigate against the issues discussed in this advisory: - If possible, use packet filters and accept ISAKMP negotiations only from trusted IP-addresses - Avoid using "aggressive mode*" in phase 1 [*In "aggressive mode", fewer exchanges are made and with fewer packets during the negotiation stage. The weakness of using this mode is that both sides have exchanged information before there is a secure channel.] Solution - -------- Please refer to the 'Vendor Information' section of this advisory for platform specific remediation. Vendor Information - ------------------ A complete list of vendor responses to this vulnerability are not currently available. Please visit the web site at http://www.niscc.gov.uk/niscc/vulnAdv-en.html in order to view the latest vendor statements. Credits - ------- CERT-FI and the NISCC Vulnerability Team would like to thank OUSPG for informing us of the problems and making the test suite available to vendors. CERT-FI and the NISCC Vulnerability Team would also like to thank the vendors for their co-operation in handling this vulnerability and to JPCERT/CC for co-ordinating this issue in Japan. Contact Information - ------------------- CERT-FI Vulnerability Coordination can be contacted as follows: Email vulncoord@ficora.fi Please quote the advisory reference in the subject line Telephone +358-9-6966510 Monday - Friday 08:00 - 16:15 (EET-DST: UTC+3, EET: UTC+2) Fax +358-9-6966515 Post Vulnerability Coordination FICORA/CERT-FI P.O. Box 313 FI-00181 Helsinki FINLAND CERT-FI encourages those who wish to communicate via email to make use of our PGP key. This is available from http://www.ficora.fi/suomi/tietoturva/VULNCOORD.asc The NISCC Vulnerability Management Team can be contacted as follows: Email vulteam@niscc.gov.uk Please quote the advisory reference in the subject line Telephone +44 (0)870 487 0748 Ext 4511 Monday - Friday 08:30 - 17:00 Fax +44 (0)870 487 0749 Post Vulnerability Management Team NISCC PO Box 832 London SW1P 1BG United Kingdom We encourage those who wish to communicate via email to make use of our PGP key. This is available from http://www.niscc.gov.uk/niscc/publicKey2-en.pop. Please note that UK government protectively marked material should not be sent to the email address above. What are CERT-FI and NISCC? - --------------------------- For further information regarding the Finnish national CERT team, CERT-FI, please visit http://www.ficora.fi/englanti/tietoturva/cert.htm. For further information regarding the UK National Infrastructure Security Co-ordination Centre, please visit http://www.niscc.gov.uk. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither shall NISCC accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. (C) 2005 Crown Copyright ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================