Cisco VPN devices may be subject to DoS attacks

The series of Cisco VPN Concentrator 3000 Series is facing the risk of denial of service (DoS) attacks due to a security error arising in the application connection procedure in the device.

Picture 1 of Cisco VPN devices may be subject to DoS attacks
The series of Cisco VPN Concentrator 3000 Series is facing the risk of denial of service (DoS) attacks due to a security error arising in the application connection procedure in the device.

The above security error arises in Internet Key Exchange (IKE) procedure. This is the procedure for allowing virtual private network access IPSec VPN. This security bug could allow an attacker to destroy the 3000 Series Cisco VPN Concentrator by "flooding" the device with a variety of IKE connection requirements that prevent the device from processing network traffic. connect.

Security researcher Roy Hills of security research firm NTA Monitor was the first to discover this security flaw and officially released his findings through the list of newsletters Full Disclosure Day. yesterday (July 26).

The attacker does not need to have login rights to exploit the above security flaw that arises before the login authentication stage, Hills said. Not only that, but the intrusion detection and prevention system is also completely disabled because the packets of information that require an IKE connection to be used as an attack are completely legal, do not contain any malicious code. Come on.

The Cisco Series Concentrator 3000 Series is a product designed specifically for deployment when enterprise virtual private network. The device can support 200 to 10,000 remote IPSec connection requests at the same time.

In a warning message issued yesterday, Cisco Security Issues Response Team (PSIRT) said the above security error only affects version 1 of the IKE connection procedure and not Security error in manufacturer's hardware. Some Cisco products have IKE version 1 applications such as Adaptive Security Appliance (ASA), PIX Firewall and Cisco Internetworking Operating System (IOS) also suffer from the above security error.

Customers using the above-mentioned products can protect themselves by applying Call Admission Control (CAC) to the IKE connection. In this way, it is possible to limit the number of simultaneous connections to the device, preventing flooding of the device by a series of connection requirements.

Although Cisc will continue to study more about this security error to reduce the negative impact of security errors. However, a patch is very hard to release, Mike Caudill - PSIRT managing director - confirmed.

" This is a very difficult security fix because it is a security flaw in the procedure. This is a widely applied procedure, not just in Cisco products ," Caudill said.

Hoang Dung

Update 13 December 2018
« PREV
NEXT »
Category

Technology

Life

Discover science

Medicine - Health

Event

Entertainment