=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN405
_____________________________________________________________________

DATE                      : 27/07/2006

HARDWARE PLATFORM(S)      : Cisco.

OPERATING SYSTEM(S)       : Cisco software.

======================================================================

Cisco Security Response: Internet Key Exchange Resource Exhaustion Attack

Document ID: 70810

http://www.cisco.com/warp/public/707/cisco-sr-20060726-ike.shtml

Revision 1.0

For Public Release 2006 July 26 1600 UTC (GMT)

- - -----------------------------------------------------------------------

Contents
========

     Cisco Response
     Additional Information
     Revision History
     Cisco Security Procedures

- - -----------------------------------------------------------------------

Cisco Response
==============

This is a Cisco PSIRT response to an advisory published by an unaffiliated
third party, Roy Hills, of NTA Monitor Ltd posted as of July 26, 2006 at
http://www.nta-monitor.com/posts/2006/07/cisco-concentrator-dos.html,
and entitled: Cisco VPN Concentrator IKE resource exhaustion DoS.

This issue is being tracked by the following Cisco Bug IDs:

   * CSCse70811 (Cisco IOS software)

   * CSCdt92467 (Cisco VPN 3000 Concentrators)

   * CSCsb51032 (Cisco PIX firewalls)

We thank Roy Hills from NTA Monitor Ltd for reporting this issue to
Cisco. We greatly appreciate the opportunity to work with researchers
on security vulnerabilities, and welcome the opportunity to review and
assist in product reports.

Additional Information
======================

The attack against the Internet Key Exchange (IKE) protocol described
in the NTA Monitor advisory exploits the stateless nature of the IKE
version 1 protocol. The goal of such an attack is to deplete the
resources available on a device to negotiate IKE security associations,
and block legitimate users from establishing a new security
association.

This vulnerability is not related to a specific vendor implementation,
but to underlying issues in the IKE protocol, and may affect any device
which implements IKE version 1. Cisco devices implementing IKE version
1 include the PIX and ASA security appliances, Cisco IOS software, and
the VPN 3000 Series Concentrators.

Customers running Cisco IOS software can mitigate this vulnerability by
implementing the feature "Call Admission Control for IKE". Additional
information on this feature can be found at
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a0080229125.html 
.

There are no workarounds to mitigate this vulnerability for other
affected devices.

Cisco will continue to investigate the possibility of implementing
software workarounds to minimize the impact of this vulnerability.

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT
YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

Revision History
================

+----------------------------------------+
| Revision |              | Initial      |
| 1.0      | 2006-July-26 | public       |
|          |              | release.     |
+----------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

- - -----------------------------------------------------------------------

All contents are Copyright 1992-2006 Cisco Systems, Inc. All rights
reserved.

- - -----------------------------------------------------------------------

Updated: Jul 26, 2006                                Document ID: 70810

- - -----------------------------------------------------------------------

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================