MEDIUM: Vulnerable ISAKMP Report

DESCRIPTION LAST UPDATED: 2024-07-08

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies hosts that have a vulnerable IKE service accessible on the Internet.

It currently focuses on SoftEther VPN port 4500/UDP instances that can be abused for UDP amplification/reflection attacks.
See: https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-j35p-p8pj-vqxq

Above are tagged softether.

You can track currently vulnerable ISAKMP services on our Dashboard.

For more information on our scanning efforts, check out our Internet scanning summary page.

Filename(s): scan_isakmp

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the response came on (always UDP)
  • port
    Port that the response came from (500/UDP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will be isakmp-vulnerable with additional tags for specific issue being reported, like softether
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • initiator_spi
    Initiator's SPI of the IKE_SA
  • responder_spi
    Responder's SPI of the IKE_SA
  • next_payload
    "Is there payload data present?" This will be "11" for "Payload Follows"
  • version
    IKE version, will be "10" (maps to version 1.0)
  • exchange_type
    The IKE Exchange Type: this will be "5" meaning "informational"
  • flags
    ISAKMP flags: this will be "0"
  • message_id
    The Message ID, which is "0"
  • next_payload2
    This is the same thing as the "next_payload" field, but buried in the payload that the original "next_payload" is referring to; it will be "0" for "none"
  • domain_of_interpretation
    This will be "0" for ISAKMP
  • protocol_id
    This will be "0" for "reserved"
  • spi_size
    This will be "0"
  • notify_message_type
    This will be "14" which maps to "no proposal chosen"
  • sector
    Sector of IP in question

Our 132 Report Types