[Openswan Users] Upgrade from openswan-2.6.21-5.el5_7.6 to openswan-2.6.32-10.el6_2.i686 appears to have introduced DOS vulnerability
Mike Herrick
mike.herrick at gmail.com
Tue Apr 3 14:33:04 EDT 2012
I've upgraded my firewalls from Red Hat 5 (openswan-2.6.21-5.el5_7.6)
to Red Hat 6 (openswan-2.6.32-10.el6_2.i686) and a SecuritySpace audit
is complaining that I'm now vulnerable to a "Denial of Service : IPSEC
IKE check" attack. The details seem a little sketchy
(https://secure1.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.10941),
reproduced here:
Test ID: 1.3.6.1.4.1.25623.1.0.10941
Category: Denial of Service
Title: IPSEC IKE check
Summary: IPSEC IKE check
Description: The remote IPSEC server seems to have a problem negotiating
bogus IKE requests.
An attacker may use this flaw to disable your VPN remotely
Solution: Contact your vendor for a patch
Reference : See RFC 2409
Risk factor : High
Copyright This script is Copyright (C) 2002 John Lampe...j_lampe at bellsouth.net
The copyright date makes me think this is an old issue, and there
doesn't appear to be a CVE issue for it. I'm just wondering if anyone
knows what this is (and how to fix it).
Thanks,
Mike.
More information about the Users
mailing list