The Cisco VPN Concentrator 3000 Series is facing the risk of denial-of-service (DoS) attacks due to a security vulnerability that has been identified in the application connection procedures of the device.
The aforementioned security flaw occurs in the Internet Key Exchange (IKE) procedure. This procedure allows remote access to the IPSec VPN private network. This vulnerability could allow an attacker to disrupt the Cisco VPN Concentrator 3000 Series device by flooding it with numerous IKE connection requests, rendering the device unable to process incoming network traffic.
Security researcher Roy Hills from NTA Monitor was the first to discover this vulnerability and officially announced his findings through the Full Disclosure security news mailing list yesterday (July 26).
According to Hills, an attacker does not need to have login credentials to exploit this vulnerability, as it occurs before the authentication phase. Furthermore, the entire intrusion detection and prevention system is completely disabled because the IKE connection request packets used for the attack are entirely legitimate and do not contain any malicious code.
The Cisco VPN Concentrator 3000 Series is specifically designed for enterprise virtual private network deployment. The device can support anywhere from 200 to 10,000 simultaneous IPSec connection requests.
In a warning bulletin issued yesterday, Cisco’s Product Security Incident Response Team (PSIRT) stated that this vulnerability only affects version 1 of the IKE connection procedure and does not represent a hardware flaw from the manufacturer. Other Cisco products that utilize IKE version 1, such as the Adaptive Security Appliance (ASA), PIX Firewall, and Cisco Internetworking Operating System (IOS), are also affected by this security issue.
Customers using the affected products can protect themselves by implementing Call Admission Control (CAC) for IKE connections. This approach limits the number of simultaneous connections to the device, preventing it from being overwhelmed by a flood of connection requests.
Although Cisco will continue to investigate this vulnerability to mitigate its negative effects, Mike Caudill, PSIRT’s management director, confirmed that releasing a patch will be quite challenging.
“This is a very difficult vulnerability to fix because it is a flaw within a widely used procedure, not limited to Cisco products,” Caudill stated.
Hoàng Dũng
