lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 9 Dec 2005 23:24:26 -0000
From: mkuch@...ni.securityfocus.com
To: bugtraq@...urityfocus.com
Subject: Apani Network Response to ISAKMP cert-fi:7710 Alert


APANI Networks EpiForce 1.9 and Earlier Potential Denial of Service in EpiForce Agent  

NOTICE: The information in this notice should be acted upon as soon as possible.  All affected customers have already been contacted by Apani.

Release Date: 2005-12-09

Potential Security Impact: Remote Denial of Service

Source: Apani Networks Corporation
             Apani Product Support

VULNERABILITY SUMMARY
A potential denial of service vulnerability has been identified with in the EpiForce Agent.  Agents automatically restart if a failure is detected.

References: cert-fi:7710, NISCC 273756, CVE-2005-3670, CERT VU#226364

IMPACTED VERSIONS:
EpiForce Agent 1.9 and earlier versions

BACKGROUND:
The Department of Electrical and Information Engineering at the University of Oulu in Finland began the PROTOS project in 1999. Its purpose is to "research different approaches of testing implementations of protocols using black-box (i.e. functional) testing methods." Black box testing means that the tester does not have any knowledge of the internal workings of the specific implementation of the protocol being tested. 

Over time, PROTOS developed test suites for a variety of protocols. On 14 November 2005, the PROTOS project announced the availability of a test suite for the Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP is a part of the Internet Key Exchange (IKE) protocol, which is used to negotiate IPSec security associations between Apani EpiForce Agents. It is also used for the same purpose in many VPN products from other companies.

The PROTOS test suite for ISAKMP contains 5000 separate tests. Apani noted that a few tests could crash the IKE Negotiation Module (INM) in the EpiForce Agent. Agents automatically restart INM if a failure is detected.  

NOTE: Customers should be aware that EpiForce Agents do not use aggressive mode negotiations, which was mentioned in the PROTOS announcement. In addition, EpiForce Agents do not use preshared keys. The PROTOS tests are based on preshared keys. EpiForce Agents ignore or quickly drop all of the negotiation test messages that originate from the PROTOS ISAKMP test suite.

AFFECTED VERSIONS
EpiForce Version 1.9 and Earlier

MITIGATION
Upgrade to Version 2.0

RESOLUTION
Apani Networks is currently working with our customers in regards to older versions of the product. 

UPDATE HISTORY
Initial release: 1

Support: For further information, contact your Apani Networks support channel or via the web: 
http://www.apani.com/support/contact-support

Report: To report a potential security vulnerability with an Apani Networks product, contact Apani Networks at support@...ni.com.

(c)Copyright 2005 Apani Networks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ