VPN vulnerability (and a stocking stuffer for nerds).

In today's IT Blogwatch, we look at the VPN flaw found by Uni of Oulu in Finland. Not to mention a Christmas present for nerds. 

IPsec VPN displaying security vulnerabilities so take note if you have a VPN, Cisco or Juniper Networks or others are implicated.  From Gameshout a warning that "Administrators are being advised to patch their network hardware as soon as possible. A research team from the University of Oulu in Finland, have found vulnerabilities in the Internet Security Association and Key Management Procotol [ISAKMP]. These are used to create secure tunnels over the internet. If the flaw is exploited, the infected routers could be vulnerable to serious attacks, such as DDoS or complete remove execution. Network administrators have already been pressured to update network security by patching Cisco routers for a few months now, because of the critical flaws in the Internetwork Operating System on the router.  Cisco's chief security officer, John Stewart says that customers are still using older versions of the IOS (Internetwork Operating System).  The University of Oulu has published a network security tool that can help router vendors test for the flaws, however, there are concerns that hackers will use the tool to develop exploits."

» Dr Tom Shinder:  "I've been telling you folks time and again that hardware firewalls are not a security panacea, and in fact are often less secure than a properly configured ISA firewall. Unfortunately, its hard for "network" guys to appreciate this simple fact. The time is coming soon where CxOs are going to realize that their "networking" guys are a major security risk to the data you're trying to secure. "

» RavenII:  "Cisco and Juniper have acknowledged that some of their products are at risk. Cisco said the security flaw could cause devices to reset which could cause a temporary denial-of-service attack.  It is providing free software upgrades to fix the problem and has published a security advisory. "  "Juniper products affected include all of its M-series, T-series, J-series and E-series routers, as well as most versions of its Junos and JunoSe Security software. A spokesJniper said that software issued on or after July 28 provided fixes for the flaw. The Openswan Project, which is IPsec software used on many Linux products, is also affected and the project has already released Openswan 2.4.2 in response to the advisory."

»  Johannes Ullrich:  "How serious is all of this?   The world an the Internet will continue to turn. This issue is however very important to you if you are using an IPSEC VPN. At this point, all points to this being a DOS only vulnerability. Your IPSEC concentrator may reboot or lock up. While this is not as severe as remote code execution, it can still break a business if critical network links are impacted.  Who is Impacted?   If you are using IPSEC, check with your vendor to make sure. Cisco, Juniper, Secgo and OpenSWAN released patches. In particular OpenSWAN may be used in many Linux and BSD based appliances. See the earlier diary for a list of firmwares. ISAKMP and IPSEC have to be enabled."

» And final comment from gol706:  "With all the other stuff to worry about on the Internet, worrying about a DoS bug being used on your VPN machine seems kinda quaint. With that said I predict this bug will bring about the end of the internet and give rise to a new revolutionary world order, or not."  [Shades of "look out the sky is falling down"...]

Buffer overflow:

• Doc Searls: Saving the Net: How to Keep the Carriers from Flushing the Net Down the Tubes
• Slashdot: AIM Bots: Useful or Spam?
• Microsoft Watch: Microsoft OEM Chief Flies the Coop
• Microsoft Watch: Microsoft to Extend the Research Olive Branch to Novell, Red Hat
• Ben Rockwood: Oracle and Sun: A strengthening partnership?
• Groklaw: PubPat Challenges JPEG Patent
• Schneier on Security: Identity Theft Over-Reported
• Windley:  Flushing the 'Net Down the Tubes
• Techcrunch:  Is the Gawker-Yahoo Deal Important?
• Martin MC Brown: E-mail's moral, ethical issues
• Martin MC Brown: Understanding the motives to Microsoft's Get the Facts
• Martin MC Brown: Keeping up with free software
• Alex Scoble: Optimal backup software settings for LTO 2 drive
• Alex Scoble: Dell LTO2 tape drive revisited
• Mailbag: There's more than one way to burn out
• Marketing & IT: Can they get along?
• Douglas Schweitzer: Recent CSI survey shows that companies still at risk

And finally... with Christmas coming... Floppy Disk Note Book

He's off again...Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk. Also contributing (mostly) to today's post: Judi Dey, our very own Antipodean.