{"vuid":"VU#761651","idnumber":"761651","name":"Cisco VPN 3000 series concentrator does not properly handle malformed ISAKMP packets","keywords":["Cisco","VPN Concentrator","DoS","denial of service","malformed ISAKMP packet","port 500/udp","IPSec","CSCdy38035"],"overview":"Cisco VPN 3000 series concentrators do not properly handle specially crafted Internet Security Association and Key Management Protocol (ISAKMP) packets, which can cause a vulnerable device to reload, denying service to legitimate users.","clean_desc":"According to information on the Cisco web site,\nThe Cisco VPN 3000 Series Concentrators are a family of purpose-built, remote access Virtual Private Network (VPN) platforms and client software that incorporates high availability, high performance and scalability with the most advanced encryption and authentication techniques available today. The Cisco VPN 3000 series concentrators support the IPsec (RFC 2401) and ISAKMP (RFC 2408) protocols. From RFC 2408: [ISAKMP] defines procedures and packet formats to establish, negotiate, modify and delete Security Associations (SA). SAs contain all the information required for execution of various network security services, such as the IP layer services (such as header authentication and payload encapsulation), transport or application layer services, or self-protection of negotiation traffic. ISAKMP defines payloads for exchanging key generation and authentication data. Cisco VPN 3000 series concentrators do not properly calculate the length of ISAKMP messages. Based on the Length field supplied in the ISAKMP header, a zero or negative value may be passed to a malloc() call, resulting in an error that causes the device to reload. Cisco has released an advisory addressing this and other vulnerablilities in the Cisco VPN 3000 series concentrator. VU#761651 corresponds to Cisco bug ID CSCdy38035. According to the details of the Cisco advisory, this vulnerability can also be exploited by an ISAKMP packet with a large number of payloads or, if debug is enabled, by large or otherwise malformed ISAKMP packets.","impact":"An unauthenticated, remote attacker can cause a vulnerable device to reload by sending specially crafted ISAKMP packets to port 500/udp.","resolution":"Upgrade System Software Upgrade the system software to release 3.6.1 or later or 3.5.5 or later as specified in the Cisco advisory.","workarounds":"Restrict Access Restricting access to 500/udp on vulnerable devices will provide some protection, however UDP traffic is relatively easy to spoof, and legitimate clients require access to 500/udp in order to use ISAKMP. Disable Debug According to the Cisco advisory, if debug is enabled, a VPN 3000 series concentrator is vulnerable to additional types of ISAKMP packets. Disable debug to prevent some types of ISAKMP packets from affecting a vulnerable device. Note that this is an incomplete solution. Disabling debug will not prevent other types of ISAKMP packets from causing a vulnerable device to reload.","sysaffected":"","thanks":"The CERT/CC thanks \nPhenoelit\n for reporting this vulnerability and Cisco for information used in this document.","author":"This document was written by Art Manion.","public":["http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml","http://www.ietf.org/rfc/rfc2401.txt","http://www.ietf.org/rfc/rfc2408.txt","http://online.securityfocus.com/bid/5609","http://online.securityfocus.com/bid/5619","http://online.securityfocus.com/archive/82/292506/2002-09-13/2002-09-19/0","http://www.iss.net/security_center/static/10028.php"],"cveids":["CVE-2002-1103"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-08-20T16:56:44Z","publicdate":"2002-09-03T00:00:00Z","datefirstpublished":"2002-09-03T18:40:39Z","dateupdated":"2002-11-14T05:04:47Z","revision":22,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"8","cam_population":"8","cam_impact":"8","cam_easeofexploitation":"14","cam_attackeraccessrequired":"20","cam_scorecurrent":"7.728","cam_scorecurrentwidelyknown":"9.408","cam_scorecurrentwidelyknownexploited":"16.128","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":7.728,"vulnote":null}