VPN flaw could crash networks


VPN flaw could crash networks

Antony Savvas

The National Infrastructure Security Co-ordination Centre (NISCC) has warned of a security hole in a common virtual private networking protocol, which could leave firms open to denial-of-service attacks that crash their systems.

Researchers at the University of Oulu in Finland announced the flaw this week and NISCC has issued a joint advisory about the problem.

The vulnerability affects the Internet Security Association and Key Management Protocol (ISAKMP), which is used in IPsec-based (IP security) VPNs and firewall systems.

The threat affects a range of products from companies such as Cisco Systems, Juniper Networks, Nokia and others.

The advisory said, “This flaw may expose denial-of-service conditions, format string vulnerabilities and buffer overflows.”

Buffer overflows allow remote attackers to take over a network and send arbitrary and malicious code to systems.

ISAKMP, an important part of IPsec, is used to establish secure links over the public internet. IPsec is used to encrypt data packets and create secure “tunnels” for traffic travelling over the public internet and into a corporate network.

Remote workers also use IPsec to access their companies’ internal networks.

Cisco and Juniper, two of the main companies affected by the vulnerability, have already issued patches to fix the problem. Others are set to do so.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy