Experts at the University of Oulu in Finland have reported discovering a flaw in network security technology and the Internet Security Association and Key Management Protocol (ISAKMP), which are used in IPsec virtual networks and firewall products from various companies, including Juniper Networks and Cisco.
“These vulnerabilities could enable cybercriminals to launch Denial of Service attacks by exploiting weaknesses in format string vulnerabilities, causing buffer overflows, and degrading Internet data transmission speeds. In certain cases, attackers could even execute code and gain remote control of devices,” warned the UK’s National Infrastructure Security Coordination Centre (NISCC).
Cisco stated that the security flaw could cause some of its devices to continuously reboot, potentially leading to Denial of Service attacks. The company has released a free software upgrade and guidance available here. Affected products include Cisco IOS, Cisco PIX Firewall, Cisco Firewall Services Module, Cisco VPN 3000 Series, and MDS Series SanOS.
Affected Juniper products include all routers in the M, T, J, E series, and most versions of the Junos and JunoSe security software.
The Openswan Project, which provides IPsec software used in many Linux products, is also at risk. The organization backing this program has released an update, Openswan 2.4.2, immediately upon notification.
IBM and Microsoft have stated that their systems remain secure.
T.N. (CNet)
