VPN flaw threatens Internet traffic

A flaw in a key Internet security protocol used by major networking products could open systems up to denial-of-service and other kinds of attacks, experts have warned.

Finnish researchers at the University of Oulu announced Monday that they have found a vulnerability in the Internet Security Association and Key Management Protocol, or ISAKMP. The technology is used in IPsec virtual private network and firewall products from a range of networking companies, including giants Cisco Systems and Juniper Networks.

The severity of the problems varies by software vendor, according to an advisory issued jointly by the British National Infrastructure Security Co-ordination Centre and the Finnish CERT.

"These flaws may expose denial-of-service conditions, format string vulnerabilities, and buffer overflows," the advisory said. All these could shut down devices and slow transmission of data across the Internet. In some cases, they could also allow hackers to execute code and hijack a device, NISCC warned.

The ISAKMP, which provides associations for other security protocols, is used to establish secure links over the public Internet. It is an important part of IPsec, which is used to encrypt packets and create secure tunnels for traffic traveling over the public Internet and into a corporate network. Large companies with small branch offices use IPsec to securely connect their smaller offices to headquarters. Remote workers also use the technology to access their companies' internal networks.

Cisco and Juniper, two of the largest networking technology vendors, acknowledged that some of their products are at risk.

Cisco said the security flaw could cause devices to reset over and over, which could cause a temporary denial-of-service attack. It did not mention the possibility of the device being taken over by an intruder.

The San Jose, Calif.-based company is providing free software upgrades to fix the problem and has published a security advisory. The list of affected products includes Cisco IOS, Cisco PIX Firewall, Cisco Firewall Services Module, Cisco VPN 3000 Series Concentrators and the Cisco MDS Series SanOS, according to the alert.

The list of Juniper products affected include all of its M-series, T-series, J-series and E-series routers, as well as most versions of its Junos and JunoSe Security software. A Juniper representative said the company has been aware of the problem since June, so software issued on or after July 28 provide fixes for the flaw, the representative said.

The Openswan Project, which is IPsec software used on many Linux products, is also affected. The organization behind the software released Openswan 2.4.2 in response to the advisory. The update can be downloaded from its Web site.

Networking gear vendor 3Com said it is looking into the matter to see if any of its products are affected. IBM and Microsoft said their products are not affected. A full list of companies that have responded to the alert can be found on the NISCC Web site.