Cisco has determined that the following products are vulnerable when they are configured to use IKE version 1 (IKEv1):
All Cisco products running an affected release of Cisco IOS Software
All Cisco products running an affected release of Cisco IOS XE Software
All Cisco products running an affected release of Cisco IOS XR Software
Cisco PIX firewalls
Note: Although only IKEv1 packets can be used to trigger this vulnerability, devices that are running Cisco IOS Software or Cisco IOS XE Software are vulnerable when they are configured to use IKEv1 or IKEv2.
The investigation is ongoing to determine if other Cisco products may be affected by this vulnerability.
This section will be updated if additional products are found to be vulnerable.Note: Cisco has investigated this issue and concluded that PIX versions 6.x and prior are affected by this vulnerability.PIX versions 7.0 and later are confirmed to be unaffected by this vulnerability.
Cisco PIX is not supported and has not been supported since 2009.Configuring IKEv2 on Cisco IOS Software or Cisco IOS XE Software automatically enables IKEv1.Although IKEv1 is automatically enabled on Cisco IOS Software and Cisco IOS XE Software when IKEv1 or IKE version 2 (IKEv2) is configured, the vulnerability can be triggered only by sending a crafted IKEv1 packet.
A number of features use IKEv1, including different VPNs such as:
Remote access VPN (excluding SSLVPN)
Dynamic Multipoint VPN (DMVPN)
Group Domain of Interpretation (GDOI)
Note: Cisco IOS XR platforms do not support DMVPN or GDOI-based VPNs.There are two methods to determine if a device is configured for IKE:
Determine if IKE ports are open on a running device
Determine if IKE features are included in the device configuration
Determine if IKE Ports are Open on a Running Device
The preferred method to determine if a device has been configured for IKE is to issue the show ip sockets or show udp EXEC command.
If the device has UDP port 500, UDP port 4500, UDP port 848, or UDP port 4848 open, it is processing IKE packets.In the following example, the device is processing IKE packets in UDP port 500 and UDP port 4500, using either IPv4 or IPv6:
router# show udp
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 –listen– 192.168.130.21 500 0 0 1001011 0
17(v6) –listen– UNKNOWN 500 0 0 1020011 0
17 –listen– 192.168.130.21 4500 0 0 1001011 0
17(v6) –listen– UNKNOWN 4500 0 0 1020011 0
!— Output truncated
Determine if IKE Features are Included in the Device Configuration
To determine if a Cisco IOS device configuration is vulnerable, the administrator needs to establish whether there is at least one configured feature that uses IKE.
This can be achieved by using the show run | include crypto map|tunnel protection ipsec|crypto gdoi enable mode command.
If the output of this command contains either crypto map, tunnel protection ipsec, or crypto gdoi, then the device contains an IKE configuration.
The following example shows a device that has been configured for IKE:
router# show run | include crypto map|tunnel protection ipsec|crypto gdoi
crypto map CM 100 ipsec-isakmp
crypto map CM
Note: Only Cisco products accepting IKEv1 SA negotiation requests are affected by this vulnerability.
If the device initiates IKE main, aggressive, or quick modes security association (SA) establishment or is initiating a rekey for IKE and IPsec SAs, it cannot be exploited by this vulnerability. Cisco devices that only initiate IKEv1 SA negotiation are not affected by this vulnerability.Note: Cisco Easy VPN (EzVPN) client configuration still listens for IKE request and can be exploited by processing such requests.Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the command-line interface (CLI), and then refer to the system banner that appears.
If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software.
The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name.
Some Cisco devices do not support the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.5(2)T1 with an installed image name of C2951-UNIVERSALK9-M:
Router> show version Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
For information about the naming and numbering conventions for Cisco IOS Software releases, see White Paper: Cisco IOS and NX-OS Software Reference Guide.
Determining the Cisco IOS XE Software ReleaseTo determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device and use the show version command in the CLI.
If the device is running Cisco IOS XE Software,Cisco IOS XE Software or similar text appears in the system banner. The following example shows the output of the show version command on a device that is running Cisco IOS XE Software Release 3.6.2S, which maps to Cisco IOS Software Release 15.2(2)S2:
Router# show version Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S2, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2012 by Cisco Systems, Inc.Compiled Tue 07-Aug-12 13:40 by mcpre
Determining the Cisco IOS XR Software ReleaseTo determine which Cisco IOS XR Software release is running on a device and the name of the device on which it is running, administrators can log in to the device and use the show version command in the CLI.
If the device is running Cisco IOS XR Software, Cisco IOS XR Software or similar text appears in the system banner.
The location and name of the system image file that is currently running on the device appears next to the System image file is text.
The name of the hardware product appears on the line after the name of the system image file.The following example shows the output of the show version command on a device that is running Cisco IOS XR Software Release 4.1.0 with an installed image name of mbihfr-rp.vm:
RP/0/RP0/CPU0:router# show version Mon May 31 02:14:12.722 DSTCisco IOS XR Software, Version 4.1.0Copyright (c) 2010 by Cisco Systems, Inc.ROM: System Bootstrap, Version 2.100(20100129:213223) [CRS-1 ROMMON], router uptime is 1 week, 6 days, 4 hours, 22 minutesSystem image file is “bootflash:disk0/hfr-os-mbi-4.1.0/mbihfr-rp.vm”cisco CRS-8/S (7457) processor with 4194304K bytes of memory.7457 processor at 1197Mhz, Revision 1.2
Cisco ASA 5500 and Cisco ASA 5500-X Series Adaptive Security Appliance are not affected by this vulnerability.The investigation is ongoing to determine if other Cisco products may be affected by this vulnerability.
This section will be updated as more details are learned.No other products are currently known to be affected by this vulnerability at the time of this disclosure.