The National Infrastructure Security Co-ordination Centre (NISCC) has warned of a security hole in a common virtual private networking protocol, which could leave firms open to denial-of-service attacks that crash their systems.
Researchers at the University of Oulu in Finland announced the flaw this week and NISCC has issued a joint advisory about the problem.
The vulnerability affects the Internet Security Association and Key Management Protocol (ISAKMP), which is used in IPsec-based (IP security) VPNs and firewall systems.
The threat affects a range of products from companies such as Cisco Systems, Juniper Networks, Nokia and others.
The advisory said, “This flaw may expose denial-of-service conditions, format string vulnerabilities and buffer overflows.”
Buffer overflows allow remote attackers to take over a network and send arbitrary and malicious code to systems.
ISAKMP, an important part of IPsec, is used to establish secure links over the public internet. IPsec is used to encrypt data packets and create secure “tunnels” for traffic travelling over the public internet and into a corporate network.
Remote workers also use IPsec to access their companies’ internal networks.
Cisco and Juniper, two of the main companies affected by the vulnerability, have already issued patches to fix the problem. Others are set to do so.