High-Risk Flaw Found in VPN Security Protocol

Security researchers in the United Kingdom have identified three scenarios in which malicious hackers could intercept the plaintext version of IPSec-protected communications.

An easy-to-exploit vulnerability in certain configurations of a widely used VPN protocol suite could allow malicious hackers to intercept network communications believed to be secure, according to a warning from a British security research outfit.

A high-risk alert from the U.K.-based NISCC (National Infrastructure Security Co-ordination Centre) pinpointed the flaw in IP Security, the set of protocols used to support secure exchange of packets at the IP layer.

Because IPSec is deployed widely to implement VPNs, most vendor implementations of the protocol are likely to be affected.

The NISCC said the flaw exists only in certain configurations of IPSec that use ESP (Encapsulating Security Payload) in tunnel mode with confidentiality only.

The flaw also affects configurations with integrity protection being provided by a higher layer protocol and some IPSec configurations using the key AH (Authentication Header) protocol to provide integrity protection.

"If exploited, it is possible for an active attacker to obtain the plaintext version of the IPSec-protected communications using only moderate effort," the Center said.

/zimages/5/28571.gifClick here to read about Microsofts fix for a VPN flaw in Windows XP Service Pack 2.

The group identified three attack scenarios that have "been implemented and demonstrated to work under realistic conditions" and warned that a successful exploit could modify sections of an IPSec packet to cause either the cleartext inner packet to be redirected or a network host to generate an error message.

"In the latter case, these errors are relayed via the Internet Control Message Protocol (ICMP); because of the design of ICMP, these messages directly reveal segments of the header and payload of the inner datagram in cleartext. An attacker who can intercept the ICMP messages can then retrieve plaintext data," the warning said.

Mike Poor, founder and senior security analyst at Intelguardians Network Intelligence LLC., said he believes the IPSec flaw presents "a very scary threat."

"Exposing sensitive communications that were by their very nature considered private makes this especially insidious," Poor said to Ziff Davis Internet News.

/zimages/5/28571.gifRead an eWEEK Labs review here of Check Points Connectra 2.0, a software-based SSL VPN.

Poor, however, noted that most VPN servers are set up by default to include data integrity, meaning that administrators would actually have to change the configuration in order to be vulnerable.

The NISCC recommends that the follow workarounds be implemented until vendor patches are rolled out:

  • Configure ESP to use both confidentiality and integrity protection.
  • Use the AH protocol alongside ESP to provide integrity protection. However, this must be done carefully, the Center said. For example, the configuration where AH in transport mode is applied end-to-end and tunneled inside ESP is still vulnerable.
  • Remove the error reporting by restricting the generation of ICMP messages or by filtering these messages at a firewall or security gateway.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.