Key Exchange Protocol Flaw Haunts Cisco, Juniper

The vulnerability could expose certain products to denial-of-service conditions, format string attacks and buffer overflows. In some cases, it may be possible for an attacker to execute code.

Security researchers in Finland have discovered a serious security flaw in the way several big-name vendors implement the important Internet Security Association and Key Management Protocol.

The flaw could expose vulnerable products to denial-of-service conditions, format string attacks and buffer overflows.

In some cases, it may be possible for an attacker to execute code, the U.K.-based NISCC (National Infrastructure Security Co-ordination Center) said in an alert.

The ISAKMP is an important part of IPsec, the set of protocols developed by the IETF (Internet Engineering Task Force) to support secure exchange of packets.

The implementation-specific vulnerabilities, discovered by researchers at the University of Oulu in Finland, mostly affected dedicated VPN products, but the NISCC said many operating system distribution packages and some firewall products may also be vulnerable./p>

Networking software vendors Cisco Systems Inc. and Juniper Networks Inc. have confirmed that some implementations of ISAKMP in various products could put users at risk.

/zimages/2/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

In an advisory, Cisco lists the vulnerable products as Cisco IOS, Cisco PIX Firewall, Cisco Firewall Services Module, Cisco VPN 3000 Series Concentrators and the Cisco MDS Series SanOS.

Cisco said the flaws could cause denial-of-service attacks only.

Juniper rates the risk as "high" and said its list of affected products include all Juniper Networks M/T/J/E-series routers.

The JUNOS and JUNOSe Security platforms are also affected.

The Openswan Project, which is the de facto IPsec software used on many Linux distributions, is also affected.

An advisory from the Project said openswan-2 is potentially vulnerable to a denial-of-service attack in two known cases.

However, the Openswan team says it is upset that it did not get prior knowledge of the issue from the NISCC.

Without advance knowledge, the Project said it was only able to partially analyze its IPsec implementation.

"We strongly encourage CERT-FI and/or NISCC to give us access to the test kit if they are concerned about the second vulnerability and the impact of this advisory on the wide install base of Openswan-2 if those systems are left vulnerable to a DOS attack," the group said.

Stonesoft Corp.s StoneGate Firewall and VPN products are also vulnerable, the company confirmed in a security notice.

Stonesoft rated the risk as "high" and warned that the Firewall and VPN engine versions 2.6.0 and earlier use a vulnerable version of protocol implementation.

Secgo Software Oy, also acknowledged that some versions of its Crypto IP gateway and client versions are vulnerable.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.