The National Infrastructure Security Co-ordination
Centre (NISCC) has warned of a security hole in a common virtual
private networking protocol, which could leave firms open to
denial-of-service attacks that crash their systems.
Researchers at the University of Oulu in Finland announced the
flaw this week and NISCC has issued a joint advisory about the
problem.
The vulnerability affects the Internet Security Association and
Key Management Protocol (ISAKMP), which is used in IPsec-based (IP
security) VPNs and firewall systems.
The threat affects a range of products from companies such as
Cisco Systems, Juniper Networks, Nokia and others.
The advisory said, “This flaw may expose denial-of-service
conditions, format string vulnerabilities and buffer
overflows.”
Buffer overflows allow remote attackers to take over a network
and send arbitrary and malicious code to systems.
ISAKMP, an important part of IPsec, is used to establish secure
links over the public internet. IPsec is used to encrypt data
packets and create secure “tunnels” for traffic travelling over the
public internet and into a corporate network.
Remote workers also use IPsec to access their companies’
internal networks.
Cisco and Juniper, two of the main companies affected by the
vulnerability, have already issued patches to fix the problem.
Others are set to do so.