The National Infrastructure Security Co-ordination Center, or NISCC, issued an alert for an exploit in IPSec where a hacker can obtain encrypted transmission into plaintext with “moderate effort.” When the Encapsulating Security Payload (ESP) is in tunnel mode, a packet, referred to as the inner packet, is encrypted and then used as the payload for another packet, the outer packet. If the attacker carefully manipulates the payload of the outer packet, the manipulations will affect the header of the inner packet. Then, when the packet is received by an IP device, the inner packet may be redirected or printed in an ICMP error message in plaintext. ICMP is designed to display sections of the header and payload information of the inner packet in plaintext. If the ICMP messages can be intercepted by an intruder, the encrypted inner packet’s data is revealed and has been compromised.
The proposed exploit relies on three vulnerabilities of the IPSec configuration and communication settings. These are an already known bit flipping exploit in CBC-mode encryption, not having the data integrity setting turned on for the inner encrypted packets, and how IPSec communicates with IP on other devices or routers.
The alert outlines three different attacks that hackers could try named Destination Address Writing, IP Options, and Protocol Field, as well as mentioning that there are many different variations that can also be used. These attacks are used with ESB in tunnel mode with no data integrity option chosen.
Destination Address Writing involves the attacker carefully manipulating the destination address of the inner packet by the use of bit flipping the payload of the outer packet. The receiving device then decrypts the outer payload to get to the inner packet that was manipulated by the attacker. The receiving device then forwards the packet to the destination address specified by the attacker in the inner packet and the data in the packet arrives at the destination in plaintext.
The IP Options attack involves the hacker manipulating the header length by bit flipping the payload of the outer packet, which ends up manipulating the source address of the inner packet. The receiving device then decrypts the outer payload to get to the inner packet and performs some IP processing on the inner packet, thinking that the inner payload are option bytes. The receiving device will sometimes then issue an ICMP error message because of the modified header length and redirect the error message back to the modified source address where the hacker can obtain the plaintext data.
The last attack is named Protocol Field where the attacker manipulates the protocol field and source address in the inner packet by bit flipping the payload of the outer packet. The receiving device then decrypts the outer payload to get to the inner packet and the device forwards the inner packet to the original receiver. The original receiver’s IP processing looks at the protocol field and then issues an ICMP error that is sent to the modified source address of the attacker where he/she can obtain the plaintext data of the packet.
The NISCC’s alert provides three simple ways to correct the exploit found in IPSec. The solutions are:
1. Setup Encapsulated Security Payload to use both the data integrity and data confidentially options
2. Remove error logging for ICMP messages by restricting IMCP messages from being created or by blocking ICMP at the firewall
3. If using the Authentication Handler alone, use ESP as well to add data integrity to the transmission. The alert also notes with this option that the configuration of AH being in transport mode and ESP in tunnel mode still leaves the configuration vulnerable to the exploit.