Vigil@nce: Windows, denial of service via IPSec and ISAKMP
December 2009 by Marc Jacob
A remote authenticated attacker can send a malicious ISAKMP
packer, in order to generate an infinite loop.
Severity: 2/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 09/12/2009
IMPACTED PRODUCTS
– Microsoft Windows 2000
– Microsoft Windows 2003
– Microsoft Windows XP
DESCRIPTION OF THE VULNERABILITY
The IPSec protocol is used to create VPNs. To create an IPSec
tunnel, SA (Security Associations: algorithm, key size, etc.) has
to be shared between both ends. The SA can be set by
administrator, or automatically exchanged. In this later case, IKE
protocol (Internet Key Exchange) is used. IKE is based on ISAKMP
(Internet Security Association and Key Management Protocol).
The LSASS service (Local Security Authority Subsystem Service)
manages for example user authentication.
When an authenticated user, who accesses to the server via IPSec,
sends a malicious ISAKMP packet, an infinite loop occurs in LSASS.
An authenticated attacker can thus generate a denial of service.
CHARACTERISTICS
Identifiers: 974392, BID-37218, CVE-2009-3675, MS09-069,
VIGILANCE-VUL-9243
http://vigilance.fr/vulnerability/Windows-denial-of-service-via-IPSec-and-ISAKMP-9243