------------------------- | FEC Security Bulletin | ------------------------- Bulletin ID: 2005-11-14-001-ipa Revision: 1.0 Title: Multiple Vulnerability Issues in Implementation of ISAKMP Protocol (NISCC Vulnerability Advisory 273756/NISCC/ISAKMP) Summary: Multiple FEC IP Access products could reveal vulnerabilities in the processing of IPSec IKE (Internet Key Exchange) messages. These vulnerabilities were identified by the British National Infrastructure Security Co-ordination Centre (NISCC) and the Oulu University Secure Programming Group (OUSPG) from the University of Oulu in Finland and can be repeatedly exploited to produce denial of service attacks. The vulnerabilities affect the Internet Security Association and Key Management Protocol (ISAKMP), which is used to provide associations for other security protocols. Products Affected: All IPSec enabled router which are configured for IKE are vulnerable. Details: The Internet Security Association and Key Management Protocol (ISAKMP), is designed to establish, negotiate, modify and delete Security Associations. ISAKMP provides a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism. Internet Key Exchange (IKE), a derivate of ISAKMP, is a key protocol in the Internet Security Architecture (IPsec). A subset of IKE Phase 1 negotiation was chosen as the subject protocol for vulnerability assessment through syntax testing and test-suite creation. A survey of the related standards was made. The purpose of this test-suite is to evaluate implementation level security and robustness of Internet Security Association and Key Management Protocol (ISAKMP) implementations. This test-suite comprises 5000 tests. The test-material consists of test-cases simulating hostile input to the implementation under test. A test-case contains one or more exceptional elements, other elements being in their default state. Cases are arranged into test- groups, each covering a certain part of PDUs or containing similar anomalies. For more information about the test-suite please refer to http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp/ Using the test-suite we found out that we failed the following test cases: #16, #427, #1681, #2970. One major fault was that a reboot of the system could be caused when IPSec was activated. Also, under some circumstances a connection could be lost. Software Patches and Recommendation: Susceptibility to the vulnerabilities has been removed and patches are available at our web sites within the download area at http://www.funkwerk-ec.com. For security reasons it is recommended to updated existing devices with the appropriate software patch (see the following list for more details). X1000 : Rel. 6.3.4 patch 24 X1200 : Rel. 6.3.4 patch 24 X1000-II : Rel. 7.2.1 patch 9 X1200-II : Rel. 7.2.1 patch 9 X2100 : Rel. 7.2.1 patch 9 X2250 : Rel. 7.2.1 patch 9 X2300 Series : Rel. 7.2.1 patch 9 X2400 Series : Rel. 7.2.1 patch 9 X3200 : Rel. 6.3.4 patch 24 X4000 Series : Rel. 7.2.1 patch 9 X8500 : Rel. 7.2.1 patch 9 VPN Access Series : Rel. 7.2.1 patch 9 X2301 : Rel. 7.2.2 patch 2 X2302 : Rel. 7.2.2 patch 2 X2301w : Rel. 7.2.2 patch 2 X2302w : Rel. 7.2.2 patch 2 R232aw : Rel. 7.2.4 patch 5 R232bw : Rel. 7.2.4 patch 5 To determine the software version running on a FEC router, log in to the device and issue the command "show rev". This will display the current software version running on the system (see row denoted with Boss). A description how to update a FEC router can be found within the product documentation (see chapter Gateway Management). If you want to update your software, make sure you read the relevant Release Notes. They describe all changes introduced with the new system software. Copyright (c) 2006, Funkwerk Enterprise Communications GmbH. All Rights Reserved ----- End Security Bulletin 2005-11-14-001-ipa -----