[security-alerts] FW: @RISK: The Consensus Security Vulnerability Alert Vol. 4 No. 46

["Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>]

> 
> *************************
> Widely Deployed Software
> *************************
> 
> 
> **********************************************************************
> 
> (2) HIGH: Multiple Vendor IPSec IKE Implementation Vulnerabilities
> Affected:
> Cisco, Juniper, Sun, HP, Nortel, CheckPoint and OpenSWAN products
> 
> Description: IP Security (IPSec) protocol suite is a standard for
> securing communications by encrypting and/or authenticating all the IP
> packets. Internet Key Exchange (IKE) is a part of the IPSec protocol
> that provides automated key management and peer authentication. The
> IPSec protocols are used for establishing VPN tunnels. Multiple
> vulnerabilities have been reported in the IPSec IKE protocol
> implementation by various vendors. The flaws were discovered using the
> IKE PROTOS test suite that stresses a vendor's IKE implementation by
> sending malformed IKE messages. Successful exploitation of these flaws
> may cause a denial-of-service or result in arbitrary code execution on
> the system/device supporting the IPsec protocol. In many VPN set-ups,
> the default port 500/udp is used for IPsec negotiation, which makes it
> easier to spoof a malformed IKE packet. The test suite is publicly
> available.
> 
> Status: Cisco, Juniper, Sun, HP, Nortel, CheckPoint, OpenSWAN have
> confirmed the vulnerability and released patches. Other vendors are
> still investigating if their products are affected.
> 
> Council Site Actions: Only a few council sites responded to this item.
> More information has been published since we sent it out to 
> the council
> sites. Two sites plan to deploy the patches for their Cisco equipment
> during their next regularly scheduled system update process.  
> The other
> site has confirmed vulnerable platforms, but is still in the 
> process or
> waiting on confirmation from other vendors.
> 
> References:
> NISCC UK Advisory
> http://www.niscc.gov.uk/niscc/docs/re-20051114-01014.pdf?lang=en
> CERT Advisory
> http://www.kb.cert.org/vuls/id/226364 
> PROTOS Test Suite by University of OULU, Finland
> http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp/
> Cisco Advisory
> http://www.cisco.com/warp/public/707/cisco-sa-20051114-ipsec.shtml 
> IKE RFC
> http://www.faqs.org/rfcs/rfc2409.html 
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/15401
> http://www.securityfocus.com/bid/15402
> http://www.securityfocus.com/bid/15416
> http://www.securityfocus.com/bid/15420 
> http://www.securityfocus.com/bid/15462 
> http://www.securityfocus.com/bid/15471 
> http://www.securityfocus.com/bid/15479 
> 
> ****************************************************************
> 
> 05.46.30 CVE: Not Available
> Platform: Cross Platform
> Title: Multiple Vendor Antivirus Products Obscured File Name Scan
> Evasion
> Description: Multiple antivirus products do not properly identify
> potentially malicious files when their names contain certain
> non-printing characters. Specifically, files with names containing
> characters with ASCII values 0xC0, 0xD7, 0xBA, 0xDC may evade
> detection.
> Ref: http://www.securityfocus.com/bid/15423 
> ______________________________________________________________________