| VID |
13011 |
| Severity |
30 |
| Port |
1701 |
| Protocol |
TCP |
| Class |
L2TP |
| Detailed Description |
The L2TP service is a vulnerable to a Denial of Service attack.
L2TP(Layer 2 Tunneling Protocol), endorsed by Cisco, is an extension to the PPTP(Point-to-Point Tunneling Protocol) protocol, used by a ISP(Internet service Provider) to enable the operation of a VPN(Virtual Private Network) over the public line(internet). It combines the Cisco's L2F(Layer 2 Forwarding) protocol and Microsoft's PPTP(Point-to-Point Tunneling Protocol). Some versions of the L2TP daemon have a vulnerability that a remote attacker can disable the service remotely. A remote attacker can lead the target system to a Denial of Service condition using the following scenario :
1. An attacker sends "Unknown Call Type" control message to the L2TP service.
2. The L2TP service sends "SCCRQ(Start_Control_Request)" control messages to an attacker.
3. An attacker sends "SCCCN(Start_Control_Connected)" control messages to the L2TP service.
4. The L2TP service is stopped due to Segmentation Fault.
Generally, before the establishment of the data session, the Control Connection is established between two endpoint to identify the secure peer , as well as identify the peer's L2TP version, framing, and bearer capabilities, etc. In the establishment progress, it's required a three message exchange as the following steps:
1. A sends the "SCCRQ" message to B.
2. B sends the "SCCRP" message to A.
3. A sends the "SCCCN" message to B.
However, the service is implemented that the service logs appropriately and the control connection is cleared if it receives an invalid or malformed control message such as an improper sequence(e.g. an SCCCN sent in reply to an SCCRQ). In this progress, the service is disabled. Thus, a remote attack can cause the VPN to a Denial of Service and prevent other partners from connecting it by sending the improper sequence message like the above scenario.
* Note: This check solely relied on the information of the L2TP firmware revision to assess this vulnerability, so this might be a false positive.
* References:
http://sunsite.cnlab-switch.ch/ftp/doc/standard/rfc/26xx/2661
http://www.networksorcery.com/enp/protocol/l2tp.htm
* Platforms Affected:
L2TP Daemon Any version |
| Recommendation |
No the patch available as of June. 2014. You should upgrade to the latest version as possible from the L2TP's web site, http://www.l2tpd.org/download.html
Now the latest version, l2tpd 0.69 is released by Jeff McAdams. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
