Mu Dynamics Discovers IKEv2 Vulnerability

By Alan Harten

StrongSwan is an open source IPsec-based virtual private network (VPN) solution for the Linux operating system.

IPsec-based VPNs secure corporate VoIP, email, web, IPTV and other IP-based services over public network infrastructures.

On the 16th of this month StrongSwan’s IKEv2 implementation was found by Mu Dynamics to have a very serious and dangerous 0-day vulnerability.

The IKEv2 needed to establish VPN connectivity as this is essential to authenticate users and establish session keys.

Mu Labs identified what it suspected was an anonymous attacker, that was at least unauthenticated and in their opinion was capable of crashing VPN terminator or other IPsec devices, and this could be done using just the very first IKEv2 packet.

Luckily Mu and strongSwan were able to produce a patch over a period of 14 hours to remove the problem.

The company believes that other IKEv2 implementations are at risk of similar attacks.

In order to prevent IPsec VPN service downtime IKEv2 implementations must be subjected to variations on real world service-level traffic throughout the deployment life cycle.

For both operators, offering IPsec VPN services and their vendors, products must continuously prove they can tolerate unexpected or invalid inputs without experiencing service degradation or downtime.