Government warns of IPsec VPN flaw

Brief: Companies using IPsec VPNs may be vulnerable to attack, via a flaw in an encryption sub-protocol

The UK's National Infrastructure Security Coordination Centre (NISCC) has issued a serious warning over the safety of IPsec virtual private networks (VPNs).

On its Web site, NISCC said a flaw in the IPsec VPN protocol could allow hackers to obtain a text version of encrypted communications with only "moderate effort".

The flaw, which NISCC rated as 'high risk', makes it possible for an attacker to intercept IP packets travelling between two IPsec devices and modify the encapsulation security payload — a sub-protocol that encrypts the data being transported. This could ultimately expose this data to an unauthorised third party.

On its Web site, NISCC wrote: "By making careful modifications to selected portions of the payload of the outer packet, an attacker can effect controlled changes to the header of the inner (encrypted) packet…If these messages can be intercepted by an attacker, then plaintext data is revealed."

NISCC has published a number of solutions to this issue.