Attackers could exploit a major flaw in the Internet Protocol Security [IPsec] framework to obtain the plaintext version of IPsec-protected communications "using only moderate effort," the British-based National Infrastructure Security Co-Ordination Centre [NISCC] warned in an advisory.
"These are very significant issues and need to be addressed quickly by people using IPsec," Ed Skoudis, a handler for the Bethesda, Md.-based SANS Internet Storm Center [ISC] and co-founder of Washington, D.C.-based security consultancy Intel Guardians, said by e-mail. "This is really big."
NISCC said three attacks that apply to certain configurations of IPsec have been identified. "These configurations use Encapsulating Security Payload [ESP] in tunnel mode with confidentiality only, or with integrity protection being provided by a higher layer protocol," the advisory said, adding that certain configurations using the Authentication Header [AH] are also vulnerable.
"In these configurations, an attacker can modify sections of the IPsec packet, causing either the cleartext inner packet to be redirected or a network host to generate an error message," NISCC said. "In the latter case, these errors are relayed via the Internet Control Message Protocol [ICMP]. Because of the design of ICMP, these messages directly reveal segments of the header and payload of the inner datagram in cleartext. An attacker who can intercept the ICMP messages can then retrieve plaintext data."
NISCC rated the vulnerability high severity and said, "The attacks have been implemented and demonstrated to work under realistic conditions."
The IPsec framework is a set of security protocols used at the network
IPsec provides two choices of security service: AH, which essentially allows authentication of the sender of data, and ESP, which supports both authentication of the sender and encryption of data. The specific information associated with each of these services is inserted into the packet in a header that follows the IP packet header.
San Jose, Calif.-based networking giant Cisco Systems has been one of the bigger advocates for IPsec as a standard and has included support for it in its routers.
NISCC said the issues can be rectified by:
- Configuring ESP to use both confidentiality and integrity protection. This is the recommended solution.
- Using the AH protocol alongside ESP to provide integrity protection. However, NISCC said, this must be done carefully. "For example, the configuration where AH in transport mode is applied end-to-end and tunnelled inside ESP is still vulnerable.
- Removing the error reporting by restricting the generation of ICMP messages or by filtering these messages at a firewall or security gateway.