May 10th, 2005, 06:07 AM
Worrisom IPSec vulnerability announced
Well, I was reading along the handler's daily log over at isc.sans.org, not expecting anything much and then it hits me like a slap in the face:
IPSec vuln announced
NISCC has posted an advisory for IPSEC implementations. Seems that any configuration of IPSec that uses ESP, IP protocol 50 (Encapsulating Security Payload), with confidentiality (encryption) only is affected. In addition, reports of some configurations of AH (Authentication Header), IP protocol 51 are also affected.
The impact of this vulnerability is huge (well, assuming that you arent using data integrity already), as the attacker could get the plaintext version of the communication. As was pointed out to me by an ISC reader, the default on most VPN servers is to include data integrity with ESP. This is one good case where most people probably dont stray too far from the default config *sic*.
Principal workaround: Ensure that you use ESP with integrity protection.
It's always scary when you learn that a (suite of) protocol like IPSec, thats widely accepted by the community as being secure, suddently as a bad flaw revealed.
Of course there apperently are workarounds to this issue, but still, this is not like the previous isakmp daemons implementation flaws, but rather an issue with the protocol and crypto itself...
Credit travels up, blame travels down -- The Boss