Tag Archives: DoS

May 2018 Update Summary

====================
Update: 18th May 2018:
====================
Other updates made available by Microsoft for the Spectre Variant 2 vulnerability are:

kb4100347

This update was not offered to my Windows laptop running Version 1803. As you know it contains an Intel Core i7 6500U CPU. I downloaded the version 1803 update from the Microsoft Catalog and it installed successfully. My system is showing the full green result when the PowerShell command Get-SpeculationConntrolSetting is run. It results in the final screenshot shown with this article. Further tips on running this useful command are provided in this Microsoft support article, please see the headings “PowerShell Verification using the PowerShell Gallery (Windows Server 2016 or WMF 5.0/5.1)” or “PowerShell Verification using a download from Technet (earlier operating system versions and earlier WMF versions)” depending on your version of Windows.

Microsoft have also issued an update for Windows version 1709 to resolve a vulnerability again introduced by their previous patch. This resolution was provided in update kb4103727. Further details are available in Alex Ionescu’s tweet (a security architect with CrowdStrike and Windows Internals expert). Previous Spectre V2 patches were kb4091666 and kb4078407

This issue was already addressed in version 1803 of Windows.

If any of the above updates apply for your version of Windows, please install them. If the updates are already present or are not required; the installation will not proceed when you manually attempt it.

Thank you.

====================
Update: 17th May 2018:
====================
Adobe have since issued further updates to resolve critical vulnerabilities within Adobe Acrobat DC, Adobe Reader DC and Photoshop. Further details of the zero day (defined) vulnerabilities addressed in Adobe Acrobat/Reader are available here and here.

Adobe Acrobat and Reader (priority 1, 47 CVEs)

Adobe Photoshop CC 2018 and 2017 (priority 3, 1 CVE).

Further updates are listed at the end of this post. Thank you.

====================
Update: 10th May 2018:
====================
Further details have emerged of another zero day (defined) vulnerability affecting Windows Server 2008 R2 and Windows 7.

CVE-2018-8120 is an elevation of privilege (defined) vulnerability but can only be exploited if the attacker has already compromised the user account of the system allowing the attacker to log in when they choose. Upon logging in the attacker could obtain kernel level access/permissions (defined) by elevating their privileges to carry out any action they choose.

The prioritised list below has been updated to reflect this. Thank you.
====================

====================
Original Post:
====================

====================
Apologies for only posting an update summary last month. Other commitments meant I didn’t have the bandwidth to contribute more. I’ll try to make more time this month. Thanks.
====================

Earlier today Microsoft released their scheduled monthly security updates resolving 67 vulnerabilities. Notably Windows 10 Version 1803 receives it’s first update this month. Windows Server 2016 Version 1803 remains in testing in advance of it’s upcoming release. As always Microsoft have provided further details are provided within their Security Updates Guide.

There are 4 knowledge base articles detailing potential issues (all of which are pending resolutions) you may experience upon installing these updates. They are listed below for your reference:

4103712

4103718

4103723

4103727

====================

Separately, Adobe released updates for 3 of their products, namely:

Adobe Creative Cloud Desktop Application (priority 2 (overall), 3x CVEs)

Adobe Connect (priority 2, 1x CVE)

Adobe Flash Player (priority 2, 1x CVE)

Non-Microsoft browsers should update automatically e.g. Google Chrome should release a browser update in the coming days or will use their component update feature (the update was not available at the time of writing). Like last month; Microsoft issued a security advisory containing details of their updates

As always; you can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page (since Secunia PSI was phased out on the 20th of April):
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below. A useful list of all CVEs for this month is present here:
====================

Windows VBScript Engine Remote Code Execution Vulnerability (a zero day (defined) vulnerability)

Win32k Elevation of Privilege Vulnerability

Microsoft Edge and Internet Explorer (similar to last month multiple versions of Edge and IE affected with many of the CVEs affecting the Microsoft Scripting Engine))

Microsoft Hyper-V (Update 1 and Update 2)

Microsoft Office (detailed list available here)
====================
Please install the remaining updates at your earliest convenience.

One of the vulnerabilities addressed by Microsoft this month, namely CVE-2081-8897: Windows Kernel Elevation of Privilege Vulnerability arose due to the misinterpretation of documentation from Intel regarding how a CPU (defined) raise a debug (defined) exception to transfer control to debugging software (usually used by a software developer). The specific instructions were the assembly language instructions (defined) MOV to SS and POP to SS.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Malwarebytes Anti-Malware
=======================
Last week Malwarebytes updated their anti-malware product to version 3.5.1. The full list of improvements is available here but it also updated their include 7-Zip to version 18.05. I verified this manually since the above release notes did not reference to it. Further details of the 7-Zip update are available in my April blog post.

Moreover; Directory Opus updated their product to version 12.8.1. Beta adding new DLLs (defined) for 7-Zip and UnRAR once again to address the vulnerabilities found within the UnRAR DLL also used by 7-Zip.

=======================
Mozilla Firefox:
=======================
This month Mozilla made available security updates for Firefox and Firefox ESR (Extended Support Release):

9th May: Firefox 60.0: Resolves 2x critical CVEs, 6x high, 14 moderate CVEs and  4x low severity CVEs

9th May: Firefox ESR 52.8: Resolves 2x critical, 5x high, 3x moderate CVEs

Further details of the security issues resolved by these updates are available in the links above. Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
Google Chrome:
=======================
Google released Google Chrome version 66.0.3359.170 to address 4 number of vulnerabilities and to include a newer version of Adobe Flash Player.

One of the four vulnerabilities addressed relates to how Chrome handles browser extensions resolving a privilege escalation issue (defined). Further details are availability here.

=======================
USB Denial of Service (DoS) Will not Receive a Fix
=======================
In other vulnerability related news; a denial of service issue (defined) privately/responsibly disclosed (defined) by a security researcher Marius Tivadar will not fixed by Microsoft with a security update since the vulnerability requires physical access to the target system or social engineering (defined) and does not result an attacker being able to execute code of their choice on the affected system.

In my opinion; this is justified since if an attacker can obtain physical access to your system it significantly enhances the damage they can do. This statement also forms part of Microsoft’s 10 Immutable Laws of Security.

WordPress Security Updates Roundup (June 2016)

Last weekend WordPress made available a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.5.3.

Why Should These Issues Be Considered Important?
WordPress recommends installing this update as soon as possible due to the severity of the issues that it resolves. It isn’t immediately clear but 24 security issues were addressed in this update. Please find below a summary of those issues:

  • A redirect bypass in the customizer (which could be used by an attacker to redirect to websites to perform attacks such as watering hole attacks (defined))
  • 2x cross site scripting (XSS) vulnerabilities (defined) as a result of attachment names
  • Revision history information disclosure
  • A denial of service issue (defined)
  • some less secure sanitize_file_name edge cases
  • unauthorized category removal from a post
  • password change via stolen cookie (defined)

Previously in early May this year WordPress made available version 4.5.2. This was also an important security update that addressed 2 security vulnerabilities. The first relates to a Same Origin Method Execution (SOME) (defined) vulnerability. This vulnerability is similar to a cross site scripting (XSS) vulnerability since it abuses JSON (defined) callbacks.

The second issue addressed is a more traditional cross site scripting (XSS) vulnerability within a 3rd party library, namely MediaElement.js.

Separately in early June WordPress removed a plugin named WP Mobile Detector from their plugin website when attacks begin exploiting a trivially exploitable zero-day vulnerability (defined) within it.

Researchers at the security firm Sucuri were able to determine that the attacks for this vulnerability began on the 27th of May. The vulnerability was then disclosed on the Plugin Vulnerabilities website. The vulnerability allows an attacker to upload a file of their choice to a WordPress website.

Finally, and as above in late May the security firm Sucuri discovered a critical (due to the ease of exploitation) cross site scripting (XSS) vulnerability in the popular WordPress Jetpack plugin. This issue affected more than 1 million WordPress websites.

How Can I Protect Myself from These Issues?
As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For the WP Mobile Detector; it was later updated to version 3.6 to address this vulnerability. However as noted by Sucuri in their advisory the vulnerability was not fully addressed by this new version and they are working with them to address this further shortcoming.

If you use the WP Mobile Detector plugin, please ensure that you are using the most recent version. While the vulnerability is difficult to exploit since it requires the allow_url_fopen API (defined) to be enabled. US CERT recommends disabling this API (defined) call if it is not needed for your website as a defence in depth (defined)(PDF) measure.

Lastly for the JetPack plugin, please update to version 4.0.3 or later to resolve the above mentioned critical XSS issue. Updates were also made available for all 21 code branches of the plugin if you are not already using the newest code branch. The developers of the plugin have also provided an FAQ for this update as well as the steps to install it.

Thank you.

NTP Project Releases Security Update (June 2016)

In early June the NTP project; the team behind the Network Time Protocol (NTP)(defined) issued a security update to address 5 security issues (more formally known as CVEs (defined)), one of which has been classified as high severity. This update brings NTP to version 4.2.8p8

Why Should These Issues Be Considered Important?
The most severe issue involves a denial of service (defined) vulnerability caused by the processing of Crypto-NAK responses (these responses are sent by NTP servers when a client and server do not agree on a message authentication code (MAC)(defined)).

The other four issues were classified as low severity, one of which relates to the above crypto-NAK vulnerability. That low severity vulnerability if exploited could lead to the demobilization of an association between the server and the client (where mobilization means that an NTP server is cryptographically authenticated to a client).

How Can I Protect Myself from These Issues?
NTP is available for most operating systems primarily Linux and Mac OS X (however versions for Windows also exist). In addition, almost any device can request the correct time from an NTP server and thus could be affected by these issues even if NTP is not installed on the device (but would need to be installed on the server).

Full details of these issues are provided by the NTP project on this page (see the June 2016 entry).

Updated versions of NTP are available from this page. For Linux systems the relevant updates can also be obtained via the Package Manager bundled with your Linux distribution (see this link(Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux). Apple usually update NTP via their App Store and Software Update, details are available on this page.

Moreover, please see each of the following NTP bug entries since each contains mitigations (defined) for each vulnerability that may be of assistance to you:

NTP Bug 3042 (low severity)
NTP Bug 3043 (low severity)
NTP Bug 3044 (low severity)
NTP Bug 3045 (low severity)
NTP Bug 3046 (high severity)

Thank you.

Linux GRUB Security Vulnerability Swiftly Patched

Earlier this month a pair of security researchers within the Cybersecurity Group at Universitat Politècnica de València discovered an integer underflow (defined) vulnerability within the Linux GRUB bootloader (defined, my thanks to Lucian Constantin, IDG News Service for providing an excellent summary of the purpose/function of the GRUB bootloader within that article). The researchers responsibly disclosed (defined) this issue to the main distributors of Linux in order to protect their users. My thanks to everyone involved for so quickly addressing this vulnerability.

Why Should This Issue Be Considered Important?
This issue is very easy for an attacker to exploit namely that they only need to have physical access (be in front of the system) for a short time in order to exploit it. With this access, they simply press the backspace key (just above the main Enter/Carriage return) key 28 times in order to exploit this vulnerability. They could easily obtain this physical access by breaking into the premises where such a system is located.

Moreover, systems with defences such as disabled CR-ROM drives (otherwise known as optical drives), disabled USB ports, restricted network boot options, password protected BIOS/UEFI firmware (defined), password protected GRUB edit mode and where the hard disk/SSD (solid state drive (defined)) is encrypted can all be bypassed by exploiting this vulnerability.

The researchers in their description of this vulnerability bypass the encryption of the hard disk/SSD by infecting the system (by means of this vulnerability) and allowing the user to decrypt the data (information disclosure) for the attackers by having the legitimate user enter the correct password as they log on normally to the system (an elevation of privilege attack (defined); since the attackers would not normally have this level of access). A denial of service attack (DoS)(the concept of DoS is defined here) can also be carried out by the attacker by corrupting the encrypted data and/or the GRUB leaving the legitimate user unable to access their own data.

Before bypassing the encryption however, they also describe patching (modifying the genuine/legitimate GRUB loader) so that it always authenticates the logged on user rather than asking for a password (bypassing the password protected edit mode of GRUB mentioned above).

Next they describe using the patched GRUB loader to load a Linux kernel so that they can then install malware of their choice. This also has the advantage that logging of their actions is not recorded since the syslog daemon (defined) is not running (carrying out it’s purpose) since the bash (Bourne-Again SHell)(defined) is the first process to run.

With that shell (defined) running on the system the researchers next describe how they illustrated a proof of their concept by installing a modified library (the general concept of a code library is defined here, only Windows systems use DLLs (defined) and so are not relevant for this discussion of Linux systems) belonging to Mozilla Firefox so that when Firefox is active, code (instructions) of their choice are also carried out. This code uses Netcat (defined) to set up a reverse shell (defined) allowing them to control the victim system as if they were in front of it (in this case the researchers show the reverse shell being able to access the private data folders belonging to the logged in user).

How Can I Protect Myself From This Issue?
Debian, Ubuntu and Red Hat (among others) have released updates to GRUB to address this vulnerability. For Linux systems the relevant updates can also be obtained via the Package Manager bundled with your Linux distribution (see this link(Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux).

Thank you.

Cisco Issues Web Security Appliance Security Updates

In early November Cisco made available security updates to resolve 3 CVEs (defined)(1x critical and 2x high severity) within their Web Security Appliances (WSA).

Why Should These Issues Be Considered Important?
The first and most serious vulnerability could allow an authenticated user (a user already with some level of access to your Cisco appliance) if they pass specific commands as arguments (parameters, defined) to the system scripts used to create certificates that will result in them obtaining root level access (defined) to your security appliance.

The remaining 2 high severity issues could result in a denial of service (DoS, defined) condition when exploited by a remote unauthenticated attacker (i.e. someone with no initial access to your security appliance). These issues are caused by failures to free (make available for use) memory during “opening multiple connections that request file ranges” and retrieving “data from the proxy server cache to terminate a TCP connection.” The result of these denial of service attacks would be your security appliance being temporarily unavailable to carry out it’s role within your organization.

The most severe security issue has no available workaround but the high severity issues have workarounds and indicators of compromise (IOC)(defined) to detect if attacks using these issues have occurred. At this time, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any of these issues being used to attack its customers.

The affected appliances are as follows:

  • Critical issue: Cisco AsyncOS for the WSA versions 8.0 and later, both virtual and hardware versions
  • High severity issues: Cisco AsyncOS versions 8.0 through 8.8 for Cisco WSA on both virtual and hardware appliances.

Steps to determine if your appliances are affected are provided in the 3 Cisco security advisories mentioned below.

How Can I Protect Myself From These Issues?
If your organization uses any of the above mentioned Cisco Web Security Appliances please follow the directions within the 3 Cisco security advisories mentioned below to install the necessary security updates:

Cisco Web Security Appliance Certificate Generation Command Injection Vulnerability
Cisco Web Security Appliance Range Request Denial of Service Vulnerability Advisory 1
Cisco Web Security Appliance Range Request Denial of Service Vulnerability Advisory 2

Thank you.

NTP Project Releases Security Update

In late October the NTP Project; the maintainers of the Network Time Protocol (NTP)(defined) issued a security update to resolve 13 medium and low CVEs (defined) in this commonly used protocol. This update brings the version of NTP to 4.2.8p4.

Why Should These Issues Be Considered Important?
3 of the issues addressed by this security update were discovered and responsibly disclosed (defined) to NTP by 4 researchers from Boston University. Their research is described in this paper.

The first issue involves the use of a Kiss-of-Death packet that is normally used to prevent a client device (e.g. a desktop or laptop computer etc.) from repeatedly requesting the correct time from an NTP server when the client device may be experiencing technical issues. This prevents the NTP server becoming inadvertently overloaded. An attacker can exploit this issue by sending a Kiss-Of-Death packet to a victim device from any location (what is known as an off-path attack). This packet depending on the poll value within it has the potential to prevent that victim device from correctly setting it’s clock for a year or more.

The second issue resolved is very similar but involves the attacker sending a large number of queries requesting the correct time to the NTP server. These queries have been spoofed to look like they came from the victim device. The server then responds to the victim device with the above mentioned Kiss-Of-Death packet again disabling the victim devices means of updating it’s clock. This issue could be exploited if the first issue mentioned above has already been patched on the time server. This results in the victim device experiencing a denial of service issue (defined) since it can no longer set it’s clock due to no fault of it’s own.

The third and final issue requires that the attacker be positioned in a man-in-the-middle (defined) position between the client and the server which could allow the attacker to roll back the time on the victim device that bypasses the 16-minute threshold that is usually imposed to prevent a server from setting a client devices clock more than 16 minutes from the actual correct time.

If a device has its clock set to an inaccurate time that differs too much from the correct time it can cause that device to no longer be able to carry out actions that primarily use correct time to function properly. The use of timestamps is primarily employed in cryptography to prevent replay attacks (defined) or to determine if a digital certificate is still valid (among other purposes). For the full details of how features such as TLS (defined here and here), DNSSEC (defined), DNS (defined) (among others) as well as the online cryptocurrency Bitcoin can be affected as a result of these issues please refer to page 2 and 3 of the above mentioned paper.

Since the above features (among others) rely on a device having an accurately set clock and given that an attacker can exploit these 3 issues relatively easily these issues should be patched as soon as possible.

How Can I Protect Myself from These Issues?
NTP is available for most operating systems primarily Linux and Mac OS X (however versions for Windows also exist). In addition, almost any device can request the correct time from an NTP server and thus could be affected by these issues even if NTP is not installed on the device (but would need to be installed on the server).

Full details of these issues are provided by the NTP project on this page (see the October 2015 entry). Updated versions of NTP are available from this page. For Linux systems the relevant updates can also be obtained via the Package Manager bundled with your Linux distribution (see this link (Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux). Apple usually update NTP via their App Store and Software Update, details are available on this page.

In addition, recommendations to more thoroughly protect against all of the flaws discussed in the above mentioned research paper are provided on this page.

Thank you.

Cisco Releases Adaptive Security Appliance (ASA) Security Updates

In late October Cisco released a series of 4 security advisories to resolve 4 high severity CVEs (defined) that could result in a denial of service (DoS)(defined) condition for the affected Cisco networking Adaptive Security Appliance (ASA) software.

Why Should These Issues Be Considered Important?
If you make use of Cisco ASA software an unauthenticated remote attacker (namely an attacker that does not have any prior access to your Cisco software) could potentially prevent that software from performing it’s job by causing that software to reload (stop functioning and then restart).

Reloading could be called a denial of service (DoS) condition since while your software is reloading it’s not doing what it was intended to do within your organization. The attacker would only need to send the software a specifically crafted DHCPv6 (see Aside below for a definition) or UDP (defined) packets (when exploiting the VPN ISAKMP issue which involves IKE (Internet Key Exchange (IKE)) v1; see Aside 3 below for a definition) to exploit these issues.

In the case of the first 2 advisories concerning how the ASA software processes DNS requests (see this post for a non-technical explanation and see Aside 2 below for a more formal definition of DNS) the attacker would only need to send the ASA software specifically crafted packets that will cause the software to generate a DNS request packet.

The above means of attack makes it reasonable easy for an attacker to take advantage of these issues to interrupt the normal operation of your ASA software. Finally, there are no workarounds available for these issues (apart from disabling the affected components, which is not really an option if you make use of them).

How Can I Protect Myself From These Issues?
At this time the Cisco Product Security Incident Response Team (PSIRT) is not aware of any of these issues being exploited by attackers since these issues were discovered during internal security testing.

If your organization uses any of the above mentioned Cisco ASA software please follow the directions within the four Cisco security advisories mentioned below to install the necessary security updates:

Cisco ASA Software DNS Denial of Service Vulnerability Advisory 1
Cisco ASA Software DNS Denial of Service Vulnerability Advisory 2
Cisco ASA Software DHCPv6 Relay Denial of Service Vulnerability
Cisco ASA Software VPN ISAKMP Denial of Service Vulnerability

Thank you.

=======================
Aside:
What is DHCP?

Dynamic Host Configuration Protocol (DHCP) is a protocol that automatically assigns an IP address (defined) to a computing device to enable it to communicate with other devices on that network.

The IP addresses provided can be static (fixed) or dynamic (temporary; these addresses exist for a time known as the leasing time, when the lease expires the device can choose to renew the lease for another lease period e.g. 12 hours). The IP address assigned by DHCP comes from a pool (collection) of free address available for use on that network. The process of being automatically assigned an IP address is similar to being given a phone number so that you can call other phone numbers to speak to other people.

DHCP can also provide other information such as the IP address of the DNS server to a device enabling it to access websites on the internet when a person types a website address into their web browser address bar (DNS is explained in more detail below).

Finally DHCP provides the newly established device on that network with the IP address of the default gateway of that network enabling the device to communicate with other networks (e.g. the wider internet). The default gateway acts as a bridging point from one network to another (usually networks using different protocols e.g. ATM (defined) or Frame Relay (defined)). For example, in your home your wireless router acts as both your default gateway and your DNS server (unless you decide to use custom DNS settings). This router connects your devices (which are part of your Local Network (LAN) to the internet (a Wide Area Network, WAN)).

Please note that DHCPv6 is the IPv6 (defined) equivalent of DHCP (which is used with current generation IPv4 networks).
=======================

=======================
Aside 2:
What is DNS?

DNS (Domain Name Service) works very much like looking a phone number up in a phone book. By doing so it translates website names e.g. www.google.com into an IP address (defined) allowing for example your web browser to connect to Google’s server to display Google’s homepage. However this communication between computers could also be used for any other desired purpose.

DNS can also be used with email services to locate a mail server for you to send a message from your computer to that domain e.g. to bob@example.com An MX (mail exchange record) maps that domain name (example.com) to a list of mail transfer agents (MTA) for that domain. MTAs transfer a message using SMTP (defined) from MTA to MTA until it reaches the MTA for the messages destination.

DNS usually uses UDP (defined) port 53 to communicate with other DNS servers to find the IP address for the website name that you entered. DNS servers also communicate/synchronize with one another to stay up to date with the appropriate domain name to IP address translations using a process known as DNS zone (defined) transfers.
=======================

=======================
Aside 2:
What is Internet Key Exchange (IKE)?

Internet Key Exchange is part of a wider security feature known as IPSec.

IPSec (Internet Protocol Security) is a set of protocols that provide a means of setting up a secure channel of communication between 2 computing devices. Many VPNs (Virtual Private Networks)(defined) used by employees to access data and computers (usually servers) when outside of the office use IPSec to secure the connection between the employee’s device and their corporate office.

IPSec is a framework (recommended means of accomplishing something) and thus it does not stipulate specific hashing algorithms (e.g. SHA-1) or encryption algorithms e.g. RSA or ECC to use when creating a secure channel between 2 devices. Moreover, how the 2 devices exchange public keys are not specified.

A commonly used key exchange mechanism used when IPSec is securing a channel is Internet Key Exchange (IKE)(defined within RFC 2828). This standard is made up of ISAKMP (Internet Security Association and Key Management Protocol (ISAKMP)) and OAKLEY protocols. ISAKMP provides the necessary means of exchanging the encryption keys while OAKLEY actually carries out the exchange.

The establishment of the secure channel happens in two phases described in detail within this Cisco article. The Diffie-Hellman algorithm is used to agree on the public encryption for use within this secure channel within phase 1.

IKE is used with IPSec to provide the following benefits:

  • Removes the need to manually set the IPSec security parameters while establishing the connection between two devices.
  • Protects against replay attacks (summarized details of such are provided in this thread (this is a long thread, I would advise searching for the keyword “session” within that page)).
  • Provides the ability to set a limited lifetime for the IPSec communication channel which takes advantage of the capability for encryption keys to change during an individual IPSec session (essentially providing the capabilities and extra security of a temporary session key.

=======================