VPN products from a variety of vendors, including Cisco and Juniper are vulnerable to a denial of service attack, thanks to a bug that was recently discovered by researchers at Finland's University of Oulu.
The flaw affects a component of IPsec used by VPN software and hardware to securely exchange data over the Internet. While there is some risk of affected VPN systems being taken over by attackers, a more likely threat is a DOS attack, in which machines would be forced to reset repeatedly, jamming up networks and causing headaches for users.
"This issue is ... very important to you if you are using an IPsec VPN," said security research centre The SANS institute. "While this is not as severe as remote code execution, it can still break a business if critical network links are impacted."
The problem concerns a component of the IPsec protocol, called ISAKMP (Internet Security
Association and Key Management Protocol), which is used to send authentication data within IPsec. By sending specially crafted ISAKMP packets, an attacker could launch a variety of attacks, the UK's National Infrastructure Security Co-ordination Centre said in a statement.
This bug was first reported Monday, and by Tuesday a number of vendors had posted statements explaining how it affects their products on the UK security organisations's website.
Researchers say that some operating systems are also affected, including Sun's Solaris. IBM's AIX operating system and Microsoft's products are not affected by the bug, the two companies said.