VPN flaws cause router patching nightmare

Multiple vulnerabilities found in a VPN protocol used by most router vendors means that administrators are once again being advised to patch their network hardware, which is a far bigger issue than patching servers or desktops.Researchers at the University of Oulu in Finland on Monday said they had found multiple vulnerabilities in the Internet Security Association and Key Management Protocol [ISAKMP], which is used to create secure tunnels over the public Internet.

Multiple vulnerabilities found in a VPN protocol used by most router vendors means that administrators are once again being advised to patch their network hardware, which is a far bigger issue than patching servers or desktops.

Researchers at the University of Oulu in Finland on Monday said they had found multiple vulnerabilities in the Internet Security Association and Key Management Protocol [ISAKMP], which is used to create secure tunnels over the public Internet. If exploited, the affected routers could be vulnerable to anything from a DDoS attack to remote code execution.

Adam Pointon, partner at Melbourne-based IT security consultancy Assurance.com.au, told ZDNet Australia  that the flaws are a big deal because they affect such a variety of products. He is also worried that a testing tool made available for download could be used to develop exploits.

"The vulnerabilities vary from just a denial of service to a complete code execution on the systems... From your little Soho routers to every single version of Cisco's [IOS] on the network," said Pointon.

Over the past few months, network administrators have been under pressure to patch their Cisco routers because of critical vulnerabilities in the company's Internetwork Operating System (IOS).

Cisco's chief security officer John Stewart last month admitted to ZDNet Australia  that many of the company's customers are using very old versions of IOS because they are not used to updating the operating system on their network hardware.

"Because we haven't had the traditional problems that multi-purpose operating system vendors have had, we have faced a delay in the adoption cycle of the latest [version] of IOS," said Stewart.

Assurance.com.au's Pointon said on Tuesday that this latest disclosure means Cisco customers that have recently go through the pain of updating IOS will have to do it again.

"It does leave a big entry vector back in, so everybody is going to have to run around and update again because it is such a generic range of vulnerabilities," said Pointon.

To make matters worse, the University of Oulu has published a tool that can help router vendors test their systems to see if they are affected by the flaws. Although the tool will help security researchers, Pointon believes it will also help attackers quickly develop exploits.

"The guys have publicly released their IPSec testing tool... it would be trivial to use this tool against a system, then reverse engineer the tests it performs to the point of writing an exploit," added Pointon.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All