CVE-2006-3906

Name of the Vulnerable Software and Affected Versions Cisco IOS versions (affected versions not specified) VPN 3000 Concentrators versions (affected versions not specified) PIX firewalls versions (affected versions not specified)

Description The issue concerns the Internet Key Exchange (IKE) version 1 protocol, which is used for key exchange in IPSec, commonly utilized to encrypt data for VPN connections. A design weakness in the IKE version 1 protocol allows remote attackers to cause a denial of service (resource exhaustion) via a flood of IKE Phase-1 packets that exceed the session expiration rate. This could potentially affect multiple products and implementations beyond Cisco's.

Recommendations For Cisco IOS, consider implementing rate limiting on IKE Phase-1 packets to minimize the risk of resource exhaustion. For VPN 3000 Concentrators, restrict access to IKE Phase-1 packets until a more robust solution is available. For PIX firewalls, as a temporary workaround, consider disabling IKE version 1 protocol support until a patch or update is provided. At the moment, there is no information about a newer version that contains a fix for this vulnerability.