INFORMATION

ASSURANCE

“Confidence in Cyberspace”

INFORMATION ASSURANCE Date: 19 September 2016

ADVISORY NO. IAA U/OO/802789-16

SUBJECT: Recommendations to Mitigate IKEv1 Vulnerability in Cisco® Network Devices

DISCUSSION:
Certain Cisco®1 network devices configured to accept Virtual Private Network (VPN) connections are vulnerable
to unauthorized disclosure of memory data. Cisco IOS® uses the Internet Key Exchange (IKE) protocol to
exchange cryptographic and configuration information to establish a secure communication channel. An
adversary can send malformed IKEv1 packets that can cause data from memory to be transferred over the network.
Cisco® published a security advisory[1] on this topic and will release software updates to remediate this
vulnerability as they are developed.

Refer to the Cisco Security Advisory for affected Cisco IOS®. Affected Cisco® network products include:
 Certain products running Cisco® IOS
 All products running Cisco® IOS XE
 All products running Cisco® IOS XR 5.2.x and prior
 Cisco PIX 6.x and prior

MITIGATIONS:
 Update to the latest version of the operating system
Cisco® will release a software upgrade to remediate this security risk. This upgrade should be applied as soon as
possible once it is available to reduce the risk of adversary exploitation. When upgrading the operating system,
acquire the image from Cisco® and follow the Cisco® Software Integrity Assurance guidance and procedures[2].

 Implement access control lists to protect against unauthorized connection attempts

Internet Key Exchange (IKE) initiation should originate from authorized devices. IP-based access control lists
and ISAKMP filters should be implemented to restrict access for Site-to-Site IPSec connections. Execute 'show
access-list' to determine that the access lists are created. Execute 'show crypto map' to determine that the access
list is applied to the interface.

 Disable unnecessary communication services and protocols

Network devices provide support for several communication services and protocols. Only operationally required
communications should be enabled, and it should be using only the most secure version of the communication
protocol feasible. This vulnerability only affects IKE version 1. If IKE is not operationally required, firewall rules
can be implemented to block IKE traffic through UDP ports 500, 4500, 848, and 4848.

 Determine whether the device has been configured to accept IKE traffic using the following commands:
- show udp

1
Cisco® and Cisco IOS® are registered trademarks of Cisco Systems, Inc.
 - show ip sockets
- show run | include crypto map | tunnel protection ipsec | crypto gdoi
- show crypto map

Any output listing UDP port 500, 4500, 848, or 4848 is open indicates that the device is processing IKE traffic.
These commands will display IKE configurations and applied Access Control Lists.

 Monitor IKE traffic for anomalous behavior

Networks should monitor IKE traffic to UDP port 500, 4500, 848 and 4848 for IKE initiation packets. Network
tools should perform deep packet inspection for malformed packets and monitor for reoccurrence of these types
of packets. IPS and IDS signatures are referenced in the Cisco Security Advisory1.

REFERENCES
[1]
Cisco® Security Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
[2]
Cisco IOS® Software Integrity Assurance.
https://www.cisco.com/c/en/us/about/security-center/integrity-assurance.html

Disclaimer of Endorsement:
The information and opinions contained in this document are provided "as is" and without any warranties or
guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the
United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

For further information about this product, please contact:

Industry Inquiries
IA Business Affairs Office
410-854-6091
email: bao@nsa.gov

Client Requirements And General Information Assurance Inquiries

IA Client Contact Center
410-854-4200
email: IAD_CCC@nsa.gov