Flaw in Cisco VPN 3000 kit cannot be patched

A flaw in a protocol used by Cisco Systems' VPN 3000 Series virtual private networking kit can open up firms to a denial of service attack, but it cannot be patched.

A flaw in a protocol used by Cisco Systems' VPN 3000 Series virtual private networking kit can open up firms to a denial of service attack, but it cannot be patched.

The vulnerability is in the Internet Key Exchange (IKE) protocol, which enables remote IPsec (IP Security) VPN access.

The flaw can allow attackers to cripple VPN 3000 Series kit by flooding it with IKE requests, and making it unable to handle legitimate traffic.

The vulnerability has been disclosed by UK security research firm NTA Monitor, and confirmed by Cisco.

Cisco says the fault is not vendor specific and affects version 1 of the IKE protocol, so other suppliers’ systems that use this protocol may also be vulnerable, said Cisco.

Cisco's VPN 3000 Series concentrators are used at firms to support anything from between 200 and 10,000 simultaneous IPSec remote access users.

Other Cisco products that use IKE version 1 include the Adaptive Security Appliance (ASA) line, the PIX firewall platform and the very widely used Cisco Internetworking Operating System (IOS) software.

Cisco said it would work on producing workarounds to the problem as a patch was not really possible, considering the fault lies with the protocol itself.


Vote for your IT greats

Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference?

Vote now at: www.computerweekly.com/ITgreats


 

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close