Mu Dynamics has discovered and enabled the remediation of a 0-day vulnerability within strongSwan’s IKEv2 implementation. strongSwan is an open source IPsec-based virtual private network (VPN) solution suitable for the Linux operating system. IPsec-based VPNs are designed to secure corporate VoIP, email, Web, IPTV (News
) and other IP-based services over public network infrastructures.
Mu Dynamics is involved in helping network operators and their vendors avoid downtime by offering proactive service assurance. Mu Dynamics detected a strongSwan IKEv2 Denial-of-Service vulnerability in the strongSwan 4.2.6 and other branches.
The vulnerability detected was that an IKE_SA_INIT message with a Key Exchange payload containing a large number of NULL values can cause a crash of the IKEv2 charon daemon. The problem is strongSwan will dereference a NULL pointer returned by the mpz_export() function of the GNU Multiprecision Library (GMP).
To establish VPN connectivity a well defined sequence of complex events (the IKEv2 protocol) is needed. strongSwan features an Internet Key Exchange version 2 implementation (IKEv2) for authenticating users and establishing session keys. This allows the Internet protocol (IP) traffic to be encrypted or it may also be digitally signed within IPsec-based VPNs.
It was deciphered by Mu Labs that an unauthenticated anonymous attacker will be able to crash a strongSwan-based VPN terminator or other IPsec device making use of just the first IKEv2 packet.
Other IKEv2 implementations which are as complex as this one will also be susceptible to similar failures. For avoiding IPsec VPN service downtime from similar type of software weakness in complex code, it is necessary for all IKEv2 implementations to be subjected to real world service-level traffic variations during the deployment life cycle.
It is imperative for operators providing IPsec VPN services as well as vendors, to make sure that products can actually tolerate unexpected or invalid inputs without undergoing service degradation or downtime.
“The best defense against this 0-day vulnerability is to immediately upgrade to the patched version of strongSwan,” said Thomas Maufer, Mu Dynamics’ Director of Technical Marketing. “The Mu Labs development team appreciates strongSwan’s extremely rapid response time in producing a fix to this serious bug in just one day.”
Mu Dynamics helps prevent service, application and network downtime thereby avoiding high cost of service. Its solution automates a systematic and repeatable process which detects sources which could lead to downtime within IP services, applications and underlying networks. Mu solutions are deployed at over 100 locations including global service providers, cable operators and network product vendors.
INTERNET TELEPHONY Conference & EXPO West 2008 — the biggest and most comprehensive IP communications event of the year — concluded Thursday in Los Angeles, California. Thousands of attendees flocked to the event for three valuable days of exhibits, conferences and networking opportunities. Mark your calendar now for ITEXPO East 2009, February 2-4, 2009, in sunny Miami, Florida.
Read archived editions of Show Daily eNewsletters from ITEXPO (News - Alert) West 2008 here. See you in February!
Shamila Janakiraman is a contributing editor for TMCnet. To read more of Shamila’s articles, please visit her columnist page.
Edited by Stefania Viscusi