Nortel VPN Router Malformed Packet DoS Vulnerability

From: Roy Hills (Roy.Hills_at_nta-monitor.com)
Date: 05/31/05

  • Next message: Benton Lam: "Re: Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)" 
    Date: Tue, 31 May 2005 10:22:54 +0100
To: bugtraq@securityfocus.com

    Nortel VPN Router Malformed Packet DoS Vulnerability

    Summary:

    NTA Monitor have discovered a denial of service (DoS) vulnerability in the
    Nortel VPN Router products (which were previously known as Nortel
    Contivity) while performing a VPN security test for a customer.

    We believe that this is a serious vulnerability, because a single malformed
    IKE packet causes the VPN router to crash. Also it is not normally
    possible to prevent the malformed packet from reaching the router.

    Vulnerability Details:

    The vulnerability is triggered by sending a single IPsec IKE packet with a
    malformed ISAKMP header. On receipt of this malformed packet, the VPN
    router will crash immediately. The crash occurs every time such a
    malformed packet is sent.

    Sometimes the affected VPN router will automatically reboot (which takes
    about five minutes), but sometimes it will stay down indefinitely and
    require manual intervention to restart it. In tests, the VPN router
    automatically rebooted around 80% of the time, and needed to be manually
    reset on the remaining 20%.

    The VPN router does not log the malformed packet, even if the logging level
    is turned up to maximum. This is probably because the packet causes the
    router to crash before it has a chance to log it.

    It is not normally possible to block public inbound access to the IKE
    service on the VPN router, because it is required for remote access IPsec
    operation. As IKE uses the UDP transport protocol, the attacker may forge
    the packet's source IP address to avoid identification, or to prevent the
    victim from blocking the traffic with ingress filtering. In addition,
    current IDS/IPS systems will probably not be able to detect the attack,
    because the malformed packet looks very similar to a normal IKE packet.

    It is possible for attackers to detect and fingerprint Nortel VPN routers
    using the IKE fingerprinting techniques that we have previously published
    in VPN security white papers. Therefore users should not assume that their
    VPN router is invisible just because it's not published in the DNS and is
    not running any TCP services.

    We are not planning to release the precise details of the malformed packet,
    or the proof-of-concept exploit code due to the danger of an exploit being
    released before the majority of the Nortel VPN users have upgraded to the
    fixed version.

    Affected Versions:

    The issues affects Nortel VPN router models 1010, 1050, 1100, 600, 1600,
    1700, 2600, 2700, 4500, 4600 and 5000. We believe that all current
    software versions on the affected models are vulnerable.

    Solution:

    Upgrade to software version V5.05_200 or later. Nortel customers with a
    valid login may obtain the new software from the Nortel technical support
    website:

    http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp

    Patches for earlier software releases 4.76, 4.85, 4.90 and 5.00 are
    expected to be available within a few weeks.

    Timeline:

    The vulnerability was first discovered on 3rd March 2005, and was
    immediately reported to the customer and Nortel Networks security
    team. Nortel reproduced the issue, and developed a fix. The fixed version
    for the latest software was released on 27th May 2005.

    Further Information:

    For further information, including technical details and screenshots, see:

    http://www.nta-monitor.com/news/vpn-flaws/nortel/nortel-client/

    We would like to thank Nortel Networks for responding promptly to this
    issue, and producing a software fix to address it.

    Roy Hills 

    --
Roy Hills                                    Tel:   +44 1634 721855
NTA Monitor Ltd                              FAX:   +44 1634 721844
14 Ashford House, Beaufort Court,
Medway City Estate,                          Email: Roy.Hills@nta-monitor.com
Rochester, Kent ME2 4FA, UK                  WWW:   http://www.nta-monitor.com/
  • Next message: Benton Lam: "Re: Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)"