CERTVU:419128IKE/IKEv2 protocol implementations may allow network amplification attacks
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
50.1%
Overview
Implementations of the IKEv2 protocol are vulnerable to network amplification attacks.
Description
CWE-406: Insufficient Control of Network Message Volume (Network Amplification)
IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900% may be obtained from IKEv2 server implementations.
More details are provided in a white paper from the researcher.
Impact
An unauthenticated remote attacker may leverage the vulnerable IKE/IKEv2 server to conduct a distributed reflective denial-of-service (DRDoS) attack on another user.
Solution
The CERT/CC is currently unaware of a full solution to this problem. Some vendors have addressed this issue separately; please see the affected vendors list below.
Please consider one of the workarounds listed below.
A full solution may require revisions to RFC 7296 and/or RFC 2408.
Perform Egress Filtering
Configure your router/firewall to perform egress filtering, which may help to mitigate attacks that utilize source IP spoofing. Please refer to your product’s documentation for instructions on how to perform egress filtering.
Vendor Information
419128
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Oracle Corporation __ Affected
Notified: February 12, 2016 Updated: July 18, 2017
Statement Date: July 14, 2017
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Oracle has provided a critical security patch for this issue, and assigned CVE-2017-10042 for it.
GNU glibc Not Affected
Notified: February 12, 2016 Updated: February 15, 2016
Statement Date: February 12, 2016
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Microsoft Corporation __ Not Affected
Notified: February 12, 2016 Updated: March 04, 2016
Statement Date: March 03, 2016
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Microsoft does not believe any of its products are directly affected.
ACCESS Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
AT&T Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Alcatel-Lucent Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Apple Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Arch Linux Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Arista Networks, Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Aruba Networks Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Avaya, Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Belkin, Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Brocade Communication Systems Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CA Technologies Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CentOS Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Check Point Software Technologies Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Cisco Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CoreOS Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
D-Link Systems, Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Debian GNU/Linux Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DesktopBSD Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DragonFly BSD Project Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
EMC Corporation Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Enterasys Networks Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ericsson Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
European Registry for Internet Domains Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Extreme Networks Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
F5 Networks, Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Fedora Project Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Force10 Networks Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Fortinet, Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Foundry Brocade Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
FreeBSD Project Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Gentoo Linux Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Google Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hardened BSD Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hewlett Packard Enterprise Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hitachi Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Huawei Technologies Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM Corporation Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM eServer Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Infoblox Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Intel Corporation Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Internet Systems Consortium Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Internet Systems Consortium - DHCP Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
JH Software Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Juniper Networks Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
McAfee Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NEC Corporation Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NLnet Labs Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NetBSD Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Nokia Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Nominum Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OmniTI Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OpenBSD __ Unknown
Notified: February 12, 2016 Updated: March 01, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
OpenBSD has their own from-scratch IKE daemon: <<http://www.openiked.org/>>
It is currently unclear if this daemon is vulnerable or has been patched.
OpenDNS Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Openwall GNU/*/Linux Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
PC-BSD Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Peplink Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
PowerDNS Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Q1 Labs Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
QNX Software Systems Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Red Hat, Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SUSE Linux Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SafeNet Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Secure64 Software Corporation Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Slackware Linux Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SmoothWall Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Snort Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sony Corporation Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sourcefire Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Symantec Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
TippingPoint Technologies Inc. Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Turbolinux Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ubuntu Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Unisys Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
VMware Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Wind River Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
ZyXEL Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
dnsmasq Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
gdnsd Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
m0n0wall Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
openSUSE project Unknown
Notified: February 12, 2016 Updated: February 12, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
View all 83 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.8 | AV:N/AC:L/Au:N/C:N/I:N/A:C |
| Temporal | 6.7 | E:POC/RL:W/RC:C |
| Environmental | 6.7 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
- <https://blogs.akamai.com/2016/02/ikeikev2-ripe-for-ddos-abuse.html>
- <https://community.akamai.com/docs/DOC-5289>
- <http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide>
- <http://cwe.mitre.org/data/definitions/406.html>
- <http://tools.ietf.org/html/rfc7296>
- <http://tools.ietf.org/html/rfc2408>
Acknowledgements
Thanks to Chad Seaman of Akamai for reporting this vulnerability.
This document was written by Garret Wassermann.
Other Information
| CVE IDs: | None |
|---|---|
| Date Public: | 2016-02-25 Date First Published: |
Related
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
50.1%