NTA Monitor

Latest News

New version of network scanning tool arp-scan released

15th March 2011 A new version of a respected and popular network scanning tool has been released. Read More

Tests show rise in number of vulnerabilities affecting web applications with SQL Injection and XSS most common flaws

1st March 2011 SQL injection and cross-site scripting (XSS) were the most common flaws found in web applications in 2010 according to results from tests carried out by NTA Monitor. Read More

Assess risk to manage effects of budget cuts

9th February 2011 Signs of economic recovery may be appearing in some industries, but for most organisations - particularly in the public sector - budget cuts and cost savings are here to stay for the foreseeable future. Read More

"Basic security threats not changed in 15 years"

1st February 2011 There may have been significant technological advances to the hardware and software organisations use, but according to Roy Hills, who co-founded NTA Monitor in 1996, the basic security threats have not changed in the last 15 years. Read More

Nortel VPN Router Malformed Packet DoS Vulnerability

Overview

NTA Monitor have discovered a denial of service (DoS) vulnerability in the Nortel VPN Router products (which were previously known as Nortel Contivity) while performing a VPN security test for a customer.

We believe that this is a serious vulnerability, because a single malformed IKE packet causes the VPN router to crash. Also it is not normally possible to prevent the malformed packet from reaching the router.

Vulnerability Details

The vulnerability is triggered by sending a single IPsec IKE packet with a malformed ISAKMP header. On receipt of this malformed packet, the VPN router will crash immediately. The crash occurs every time such a malformed packet is sent.

Sometimes the affected VPN router will automatically reboot (which takes about five minutes), but sometimes it will stay down indefinitely and require manual intervention to restart it. In tests, the VPN router automatically rebooted around 80% of the time, and needed to be manually reset on the remaining 20%.

The VPN router does not log the malformed packet, even if the logging level is turned up to maximum. This is probably because the packet causes the router to crash before it has a chance to log it.

It is not normally possible to block public inbound access to the IKE service on the VPN router, because it is required for remote access IPsec operation. As IKE uses the UDP transport protocol, the attacker may forge the packet's source IP address to avoid identification, or to prevent the victim from blocking the traffic with ingress filtering. In addition, current IDS/IPS systems will probably not be able to detect the attack, because the malformed packet looks very similar to a normal IKE packet.

It is possible for attackers to detect and fingerprint Nortel VPN routers using the IKE fingerprinting techniques that we have previously published in VPN security white papers. Therefore users should not assume that their VPN router is invisible just because it's not published in the DNS and is not running any TCP services.

We are not planning to release the precise details of the malformed packet, or the proof-of-concept exploit code due to the danger of an exploit being released before the majority of the Nortel VPN users have upgraded to the fixed version.

Affected Versions

The issues affects Nortel VPN router models 1010, 1050, 1100, 600, 1600, 1700, 2600, 2700, 4500, 4600 and 5000. We believe that all current software versions on the affected models are vulnerable.

Solution

Upgrade to software version V5.05_200 or later. Nortel customers with a valid login may obtain the new software from the Nortel technical support web site:

http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp

Patches for earlier software releases 4.76, 4.85, 4.90 and 5.00 are expected to be available within a few weeks.

Timeline

The vulnerability was first discovered on 3rd March 2005, and was immediately reported to the customer and Nortel Networks security team. Nortel reproduced the issue, and developed a fix. The fixed version for the latest software was released on 27th May 2005.

References

CVE-2005-1802

Other Information

We would like to thank Nortel Networks for responding promptly to this issue, and producing a software fix to address it.

This advisory was first released on 3rd May 2005.