NTA Monitor

Latest News

Skype not a 'quick-fix' VoIP solution for business

2nd February 2009 The significant increase in the use of VoIP, particularly for organisations and businesses with regional or international networks, reflects the undoubted business benefits it brings. However.. Read More

Beware the Cyber Shoplifters warns NTA Monitor

1st December 2008 As the recession starts to bite, the threat from 'cyber shoplifting' will increase for online retailers. Read More

Who's listening in on your corporate network?

20th October 2008 VoIP systems putting companies at risk says NTA Monitor Read More

Finance industry faces serious IT security issues

23rd June 2008 The finance industry needs to keep its eye on the small change as well as the bigger picture of its security vulnerabilities Read More

Cisco VPN Concentrator IKE resource exhaustion DoS

Overview

NTA Monitor discovered a denial of service vulnerability in the Cisco VPN 3000 series concentrator products while performing a VPN security test for a customer in July 2005.

The problem was initially discovered on the Cisco VPN Concentrator 3000 product range, but subsequent testing has shown that the issue also exists in the IKE component of Cisco IOS, Cisco PIX OS, Cisco ASA Appliance, and Cisco Firewall Services Module [FWSM] for Cisco Catalyst 6500 switches and Cisco 7600 Series routers.

The vulnerability affects Phase-1 of the IKE protocol. Both Main Mode and Aggressive Mode over both UDP and TCP transports are affected.

The vulnerability allows an attacker to exhaust the IKE resources on an affected device by sending a high rate of IKE requests, which will prevent valid clients from connected or re-keying. The attack does not require a high bandwidth, so one attacker could potentially target many VPN systems.

This mechanism behind this vulnerability is similar to the well-known TCP SYN flood vulnerability.

Vulnerability Details

The vulnerability allows an attacker to exhaust the IKE resources on a remote system by starting new IKE sessions faster than the target system expires them from its queue. By doing this, the attacker fills up the target's queue, which prevents it from handling valid IKE requests.

The exploit involves sending IKE Phase-1 packets containing an acceptable transform. It is not necessary to have valid credentials in order to exploit this vulnerability, as the problem occurs before the authentication stage. The vulnerability affects both Main Mode and Aggressive Mode, and both normal IKE over UDP and Cisco proprietary TCP-encapsulated IKE.

In order to exploit the vulnerability, the attacker needs to send IKE packets at a rate which exceeds the target's IKE session expiry rate. Tests show that the target starts to be affected at a rate of 2 packets per second, and is becomes unusable at 10 packets per second. As a minimal Main Mode packet with a single transform is 112 bytes long, 10 packets per second corresponds to a data rate of slightly less than 9,000 bits per second.

The target will remain unable to process IKE requests as long as the flow of packets continues. Once the flow stops, it will return to normal operation as the negotiation queue drains.

It is not normally possible to block public inbound access to the IKE service on VPN systems, because it is required for remote access IPsec operation. As IKE normally uses the UDP transport protocol, the attacker may forge the packet's source IP address to avoid identification, or to prevent the victim from blocking the traffic with ingress filtering. In addition, IDS/IPS systems will probably not be able to detect the attack, because the packets are valid IKE packets.

It is possible for attackers to detect and fingerprint Cisco VPN concentrators, IOS and PIX systems using the IKE fingerprinting techniques that we have previously published in VPN security white papers. Therefore users should not assume that their VPN system is invisible just because it's not published in the DNS and is not running any TCP services.

The symptoms are that the target system won't respond to IKE requests from any source when all the negotiation slots are filled. This means that new clients will be unable to connect, and Phase-1 re-keying attempts will fail. It is not known if Phase-2 re-keying is also affected. Traffic over existing VPN tunnels should not be affected until they need to re-key.

The mechanism behind this vulnerability is similar to that behind the well-known TCP SYN flood issue. In both cases the target system has a stateful mechanism for recording outstanding negotiations, uses a fixed-size list to store negotiations in progress, and does not require any authentication in order to start a negotiation.

Example

We are not planning to release examples of how to exploit this vulnerability until it has been addressed and users have had an opportunity to apply the fix or workaround.

Affected Versions

The issue is believed to affect the IKE component of the following products:

Solution

There is no known fix or workaround at this time.

Timeline

The vulnerability was first discovered on 4th July 2005, and was reported to Cisco's security team (PSIRT) the same day. Cisco responded on 9th August 2005, but no further progress has been made, over a year after finding the flaw.

References

CVE-2006-3906

Cisco security response

Cisco Bug ID CSCse70811 for IOS software (CCO registered customers only)

Cisco Bug ID CSCse89808 for VPN 3000 concentrators (CCO registered customers only)

Cisco Bug ID CSCsb51032 for pre-7.x PIX OS (CCO registered customers only)

Cisco Bug ID CSCse92254 for 7.x PIX OS and ASA appliances (CCO registered customers only)

Cisco Bug ID CSCse92527 for Firewall Services Module for Catalyst 6500 switches and 7600 routers (CCO registered customers only)

Cisco SAN-OS on MDS devices (CCO registered customers only)

Cisco IOS XR software (CCO registered customers only)

This advisory was first released on 26th July 2006.