Nortel Patches DoS Flaw in its VPN Routers

Nortel has released a patch for a vulnerability in its VPN routers that could either cause them to automatically reboot or stay down until a manual reset is executed.

Security firm NTA Monitor said it discoved the denial of service (DoS) vulnerability in Nortel VPN Router products (previously known as Nortel Contivity) while performing a VPN security test for a customer. The organization described the vulnerability as "serious ... because a single malformed IKE packet causes the VPN router to crash. Also it is not normally possible to prevent the malformed packet from reaching the router."

NTA Monitor reported that the vulnerability is triggered by sending an IPsec IKE packet with a malformed ISAKMP header. The organization reported that receipt of the packet caused a crash "every time such a malformed packet is sent."

According to the group, in tests the affected router automatically rebooted about 80 percent of the time, but required a manual reboot 20 percent of the time. Further, the routers tested didn't log receipt of the packets, even when logging was set to maximum verbosity. The organization speculated that this was the result of the routers crashing before they could even log the packet.

Further, the group argued that "security through obscurity" is a particularly bad approach in this case:

"It is possible for attackers to detect and fingerprint Nortel VPN routers using [...] IKE fingerprinting techniques," the group said in its report. "Therefore users should not assume that their VPN router is invisible just because it's not published in the DNS and is not running any TCP services."

NTA reported that the issue affects Nortel VPN router models 1010, 1050, 1100, 600, 1600, 1700, 2600, 2700, 4500, 4600 and 5000.

Nortel customers with a valid login on the company's site can access the Nortel bulletin on the vulnerability and download a patch.