Britain's national emergency response team, the National Infrastructure Security Coordination Centre, issued a warning this week about the safety of virtual private networks that use IPsec encryption and tunneling to connect to corporate networks.
The flaw, which the NISCC rates as "high" risk, makes it possible for an attacker to intercept IP packets traveling between two IPsec devices. They could then modify the encapsulation security payload--a subprotocol that encrypts the data being transported. This could ultimately expose this data to an unauthorized third party.
On its Web site, NISCC stated: "By making careful modifications to selected portions of the payload of the outer packet, an attacker can effect controlled changes to the header of the inner (encrypted) packet?If these messages can be intercepted by an attacker, then plaintext data is revealed."
The NISCC includes a number of solutions to this issue in its advisory.
Dan Ilett of ZDNet UK reported from London.