This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS Software or Cisco IOS XE Software and have the Internet Security Association and Key Management Protocol (ISAKMP) enabled.
For information about which Cisco IOS and IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory.
Although only IKEv1 packets can be used to trigger this vulnerability, devices that are running Cisco IOS Software or Cisco IOS XE Software are vulnerable if ISAKMP is enabled. A device configured with IKEv1 or IKEv2 is vulnerable because either configuration will process the malformed packet.
Many features use IKE, including different types of VPNs such as the following:
- LAN-to-LAN VPN
- Remote-access VPN, excluding SSL VPN
- Dynamic Multipoint VPN (DMVPN)
- FlexVPN
- Group Encrypted Transport VPN (GET VPN)
Determining Whether IKE Is Enabled
To determine whether a device is configured for IKE, administrators can use the show ip sockets or show udp EXEC command in the CLI. If UDP port 500, UDP port 848, UDP port 4500, or UDP port 4848 is open on a device, the device is processing IKE packets.
The following example shows the output of the show udp command on a device that is processing IKE packets on UDP port 500 and UDP port 4500, using either IP Version 4 (IPv4) or IP Version 6 (IPv6):
router# show udp
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 192.168.130.21 500 0 0 1001011 0
17(v6) --listen-- UNKNOWN 500 0 0 1020011 0
17 --listen-- 192.168.130.21 4500 0 0 1001011 0
17(v6) --listen-- UNKNOWN 4500 0 0 1020011 0
.
.
.
router#
Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output.
The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
.
.
.
For information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M:
ios-xe-device# show version
Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.
For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide.
No other Cisco products are currently known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS XR Software or Cisco NX-OS Software.
from Cisco Security Advisory https://ift.tt/2pLkAqE
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.