[NEWS] Nortel VPN Router Malformed Packet DoS
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 2 Jun 2005 17:21:03 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Nortel VPN Router Malformed Packet DoS
NTA Monitor have discovered a denial of service (DoS) vulnerability in the
Nortel VPN Router products (which were previously known as Nortel
Contivity) while performing a VPN security test for a customer.
The vulnerability allows attackers to send a single malformed IKE packet
that in turn will cause the Nortel VPN router to crash.
* Nortel VPN router models 1010
* Nortel VPN router models 1050
* Nortel VPN router models 1100
* Nortel VPN router models 600
* Nortel VPN router models 1600
* Nortel VPN router models 1700
* Nortel VPN router models 2600
* Nortel VPN router models 2700
* Nortel VPN router models 4500
* Nortel VPN router models 4600
* Nortel VPN router models 5000
* Nortel VPN software version V5.05_200 or later
The vulnerability is triggered by sending a single IPSec IKE packet with a
malformed ISAKMP header. On receipt of this malformed packet, the VPN
router will crash immediately. The crash occurs every time such a
malformed packet is sent.
Sometimes the affected VPN router will automatically reboot (which takes
about five minutes), but sometimes it will stay down indefinitely and
require manual intervention to restart it. In tests, the VPN router
automatically rebooted around 80% of the time, and needed to be manually
reset on the remaining 20%.
The VPN router does not log the malformed packet, even if the logging
level is turned up to maximum. This is probably because the packet causes
the router to crash before it has a chance to log it.
It is not normally possible to block public inbound access to the IKE
service on the VPN router, because it is required for remote access IPSec
operation. As IKE uses the UDP transport protocol, the attacker may forge
the packet's source IP address to avoid identification, or to prevent the
victim from blocking the traffic with ingress filtering. In addition,
current IDS/IPS systems will probably not be able to detect the attack,
because the malformed packet looks very similar to a normal IKE packet.
It is possible for attackers to detect and fingerprint Nortel VPN routers
using the IKE fingerprinting techniques that we have previously published
in VPN security white papers. Therefore users should not assume that
their VPN router is invisible just because it's not published in the DNS
and is not running any TCP services.
The vendor has released a fix located at:
The information has been provided by <mailto:Roy.Hills@nta-monitor.com>
Roy Hills .
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.