[NEWS] Nortel VPN Router Malformed Packet DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 06/02/05

  • Next message: SecuriTeam: "[TOOL] Napkin - Encoding and Decoding Tool" 
    To: list@securiteam.com
Date: 2 Jun 2005 17:21:03 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Nortel VPN Router Malformed Packet DoS
    ------------------------------------------------------------------------

    SUMMARY

    NTA Monitor have discovered a denial of service (DoS) vulnerability in the
    Nortel VPN Router products (which were previously known as Nortel
    Contivity) while performing a VPN security test for a customer.

    The vulnerability allows attackers to send a single malformed IKE packet
    that in turn will cause the Nortel VPN router to crash.

    DETAILS

    Vulnerable Systems:
     * Nortel VPN router models 1010
     * Nortel VPN router models 1050
     * Nortel VPN router models 1100
     * Nortel VPN router models 600
     * Nortel VPN router models 1600
     * Nortel VPN router models 1700
     * Nortel VPN router models 2600
     * Nortel VPN router models 2700
     * Nortel VPN router models 4500
     * Nortel VPN router models 4600
     * Nortel VPN router models 5000

    Immune Systems:
     * Nortel VPN software version V5.05_200 or later

    The vulnerability is triggered by sending a single IPSec IKE packet with a
    malformed ISAKMP header. On receipt of this malformed packet, the VPN
    router will crash immediately. The crash occurs every time such a
    malformed packet is sent.

    Sometimes the affected VPN router will automatically reboot (which takes
    about five minutes), but sometimes it will stay down indefinitely and
    require manual intervention to restart it. In tests, the VPN router
    automatically rebooted around 80% of the time, and needed to be manually
    reset on the remaining 20%.

    The VPN router does not log the malformed packet, even if the logging
    level is turned up to maximum. This is probably because the packet causes
    the router to crash before it has a chance to log it.

    It is not normally possible to block public inbound access to the IKE
    service on the VPN router, because it is required for remote access IPSec
    operation. As IKE uses the UDP transport protocol, the attacker may forge
    the packet's source IP address to avoid identification, or to prevent the
    victim from blocking the traffic with ingress filtering. In addition,
    current IDS/IPS systems will probably not be able to detect the attack,
    because the malformed packet looks very similar to a normal IKE packet.

    It is possible for attackers to detect and fingerprint Nortel VPN routers
    using the IKE fingerprinting techniques that we have previously published
    in VPN security white papers. Therefore users should not assume that
    their VPN router is invisible just because it's not published in the DNS
    and is not running any TCP services.

    Vendor Status:
    The vendor has released a fix located at:
    <http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp>
    http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:Roy.Hills@nta-monitor.com>
    Roy Hills .
    The original article can be found at:
    <http://www.nta-monitor.com/news/vpn-flaws/nortel/nortel-client/>
    http://www.nta-monitor.com/news/vpn-flaws/nortel/nortel-client/

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] Napkin - Encoding and Decoding Tool"