Professional Documents
Culture Documents
ASSURANCE
“Confidence in Cyberspace”
DISCUSSION:
Certain Cisco®1 network devices configured to accept Virtual Private Network (VPN) connections are vulnerable
to unauthorized disclosure of memory data. Cisco IOS® uses the Internet Key Exchange (IKE) protocol to
exchange cryptographic and configuration information to establish a secure communication channel. An
adversary can send malformed IKEv1 packets that can cause data from memory to be transferred over the network.
Cisco® published a security advisory[1] on this topic and will release software updates to remediate this
vulnerability as they are developed.
Refer to the Cisco Security Advisory for affected Cisco IOS®. Affected Cisco® network products include:
Certain products running Cisco® IOS
All products running Cisco® IOS XE
All products running Cisco® IOS XR 5.2.x and prior
Cisco PIX 6.x and prior
MITIGATIONS:
Update to the latest version of the operating system
Cisco® will release a software upgrade to remediate this security risk. This upgrade should be applied as soon as
possible once it is available to reduce the risk of adversary exploitation. When upgrading the operating system,
acquire the image from Cisco® and follow the Cisco® Software Integrity Assurance guidance and procedures[2].
Determine whether the device has been configured to accept IKE traffic using the following commands:
- show udp
1
Cisco® and Cisco IOS® are registered trademarks of Cisco Systems, Inc.
- show ip sockets
- show run | include crypto map | tunnel protection ipsec | crypto gdoi
- show crypto map
Any output listing UDP port 500, 4500, 848, or 4848 is open indicates that the device is processing IKE traffic.
These commands will display IKE configurations and applied Access Control Lists.
REFERENCES
[1]
Cisco® Security Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
[2]
Cisco IOS® Software Integrity Assurance.
https://www.cisco.com/c/en/us/about/security-center/integrity-assurance.html
Disclaimer of Endorsement:
The information and opinions contained in this document are provided "as is" and without any warranties or
guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the
United States Government, and this guidance shall not be used for advertising or product endorsement purposes.