Cisco Security Advisory
IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products
High
Advisory ID:
cisco-sa-20160916-ikev1
First Published:
2016 September 16 16:00 GMT
Last Updated:
2016 October 5 15:09 GMT
Version 1.3:
Workarounds:
No workarounds available
Cisco Bug IDs:
CVSS Score:
Base 7.8,
Temporal 7.4
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:C/I:N/A:N/E:F/RL:U/RC:C
Click Icon to Copy Verbose Score
AV:N/AC:L/Au:N/C:C/I:N/A:N/E:F/RL:U/RC:C
-
A vulnerability in Internet Key Exchange version 1 (IKEv1) packet processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.
The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information.
Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
-
Cisco IOS XR Software
All products running the following releases of Cisco IOS XR Software are affected by this vulnerability:
- Cisco IOS XR 4.3.x
- Cisco IOS XR 5.0.x
- Cisco IOS XR 5.1.x
- Cisco IOS XR 5.2.x
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (“Combined First Fixed”).
Customers can use this tool to perform the following tasks:
- Initiate a search by choosing one or more releases from a drop-down menu or uploading a file from a local system for the tool to parse
- Enter the output of the show version command for the tool to parse
- Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication
To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release-for example, 15.1(4)M2 or 3.1.4S-in the following field:
Note: To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco will update the results of the investigation of affected releases of Cisco IOS and Cisco IOS XE Software and the results will be available through the Cisco IOS Software Checker, which identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed").
Cisco is currently investigating its product line to determine which products may be affected by this vulnerability and the impact of the vulnerability on each affected product. As the investigation progresses, Cisco will update this advisory with information about affected products, including the ID of the Cisco bug for each affected product. The bugs will be accessible through the Cisco Bug Search Tool and will contain additional platform-specific information, including any available workarounds and fixed software releases.Vulnerable Products
Cisco has determined that the following products are vulnerable when they are configured to use IKE version 1 (IKEv1):- All Cisco products running an affected release of Cisco IOS Software
- All Cisco products running an affected release of Cisco IOS XE Software
- All Cisco products running an affected release of Cisco IOS XR Software
- Cisco PIX firewalls
Note: Although only IKEv1 packets can be used to trigger this vulnerability, devices that are running Cisco IOS Software or Cisco IOS XE Software are vulnerable when they are configured to use IKEv1 or IKEv2.The investigation is ongoing to determine if other Cisco products may be affected by this vulnerability. This section will be updated if additional products are found to be vulnerable.
Note: Cisco has investigated this issue and concluded that PIX versions 6.x and prior are affected by this vulnerability.
PIX versions 7.0 and later are confirmed to be unaffected by this vulnerability. Cisco PIX is not supported and has not been supported since 2009.
Configuring IKEv2 on Cisco IOS Software or Cisco IOS XE Software automatically enables IKEv1.
A number of features use IKEv1, including different VPNs such as:
Although IKEv1 is automatically enabled on Cisco IOS Software and Cisco IOS XE Software when IKEv1 or IKE version 2 (IKEv2) is configured, the vulnerability can be triggered only by sending a crafted IKEv1 packet.
- LAN-to-LAN VPN
- Remote access VPN (excluding SSLVPN)
- Dynamic Multipoint VPN (DMVPN)
- Group Domain of Interpretation (GDOI)
There are two methods to determine if a device is configured for IKE:- Determine if IKE ports are open on a running device
- Determine if IKE features are included in the device configuration
Determine if IKE Ports are Open on a Running Device
The preferred method to determine if a device has been configured for IKE is to issue the show ip sockets or show udp EXEC command. If the device has UDP port 500, UDP port 4500, UDP port 848, or UDP port 4848 open, it is processing IKE packets.
In the following example, the device is processing IKE packets in UDP port 500 and UDP port 4500, using either IPv4 or IPv6:
router# show udp Proto Remote Port Local Port In Out Stat TTY OutputIF 17 --listen-- 192.168.130.21 500 0 0 1001011 0 17(v6) --listen-- UNKNOWN 500 0 0 1020011 0 17 --listen-- 192.168.130.21 4500 0 0 1001011 0 17(v6) --listen-- UNKNOWN 4500 0 0 1020011 0 !--- Output truncated router#
Determine if IKE Features are Included in the Device Configuration
To determine if a Cisco IOS device configuration is vulnerable, the administrator needs to establish whether there is at least one configured feature that uses IKE. This can be achieved by using the show run | include crypto map|tunnel protection ipsec|crypto gdoi enable mode command. If the output of this command contains either crypto map, tunnel protection ipsec, or crypto gdoi, then the device contains an IKE configuration. The following example shows a device that has been configured for IKE:router# show run | include crypto map|tunnel protection ipsec|crypto gdoi crypto map CM 100 ipsec-isakmp crypto map CM router#
Note: Only Cisco products accepting IKEv1 SA negotiation requests are affected by this vulnerability. If the device initiates IKE main, aggressive, or quick modes security association (SA) establishment or is initiating a rekey for IKE and IPsec SAs, it cannot be exploited by this vulnerability. Cisco devices that only initiate IKEv1 SA negotiation are not affected by this vulnerability.
Note: Cisco Easy VPN (EzVPN) client configuration still listens for IKE request and can be exploited by processing such requests.
Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the command-line interface (CLI), and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.5(2)T1 with an installed image name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon 22-Jun-15 09:32 by prod_rel_team . . .For information about the naming and numbering conventions for Cisco IOS Software releases, see White Paper: Cisco IOS and NX-OS Software Reference Guide.
Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device and use the show version command in the CLI. If the device is running Cisco IOS XE Software,Cisco IOS XE Software or similar text appears in the system banner.
The following example shows the output of the show version command on a device that is running Cisco IOS XE Software Release 3.6.2S, which maps to Cisco IOS Software Release 15.2(2)S2:Router# show version
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 07-Aug-12 13:40 by mcpre
Determining the Cisco IOS XR Software Release
To determine which Cisco IOS XR Software release is running on a device and the name of the device on which it is running, administrators can log in to the device and use the show version command in the CLI. If the device is running Cisco IOS XR Software, Cisco IOS XR Software or similar text appears in the system banner. The location and name of the system image file that is currently running on the device appears next to the System image file is text. The name of the hardware product appears on the line after the name of the system image file.
The following example shows the output of the show version command on a device that is running Cisco IOS XR Software Release 4.1.0 with an installed image name of mbihfr-rp.vm:
RP/0/RP0/CPU0:router# show version
Mon May 31 02:14:12.722 DST
Cisco IOS XR Software, Version 4.1.0
Copyright (c) 2010 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 2.100(20100129:213223) [CRS-1 ROMMON],
router uptime is 1 week, 6 days, 4 hours, 22 minutes
System image file is "bootflash:disk0/hfr-os-mbi-4.1.0/mbihfr-rp.vm"
cisco CRS-8/S (7457) processor with 4194304K bytes of memory.
7457 processor at 1197Mhz, Revision 1.2
Products Confirmed Not Vulnerable
Cisco ASA 5500 and Cisco ASA 5500-X Series Adaptive Security Appliance are not affected by this vulnerability.
The investigation is ongoing to determine if other Cisco products may be affected by this vulnerability. This section will be updated as more details are learned.
No other products are currently known to be affected by this vulnerability at the time of this disclosure.
-
The IKE protocol is used in the Internet Protocol Security (IPsec) protocol suite to negotiate cryptographic attributes that will be used to encrypt or authenticate the communication session. These attributes include cryptographic algorithm, mode, and shared keys. The end result of IKE is a shared session secret that will be used to derive cryptographic keys.
Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software supports IKE for IPv4 and IPv6 communications. IKE communication can use any of the following UDP ports:
- UDP port 500
- UDP port 4500, NAT Traversal (NAT-T)
- UDP port 848, Group Domain of Interpretation (GDOI)
- UDP port 4848, GDOI NAT-T
An attacker could exploit this vulnerability using either IPv4 or IPv6 on any of the listed UDP ports. This vulnerability can only be exploited by IKEv1 traffic being processed by a device configured for IKEv1. Transit IKEv1 traffic cannot trigger this vulnerability. IKEv2 is not affected.
Spoofing of packets that could exploit this vulnerability is limited because the attacker needs to either receive or have access to the initial response from the vulnerable device.
-
Cisco IPS Signatures 7699-0 and Snort SIDs 40220(1), 40221(1), and 40222(1) can detect attempts to exploit this vulnerability.
-
There are no workarounds for this vulnerability.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
Administrators are advised to monitor affected systems.
-
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides a tool, the Cisco IOS Software Checker, that identifies any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (“Combined First Fixed”).
Customers can use this tool to perform the following tasks:
- Initiate a search by choosing one or more releases from a drop-down menu or uploading a file from a local system for the tool to parse
- Enter the output of the show version command for the tool to parse
- Create a custom search by including all previously published Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication
To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com or enter a Cisco IOS Software or Cisco IOS XE Software release-for example, 15.1(4)M2 or 3.1.4S-in the following field:
Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html.
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized re-seller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html.
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
-
On August 15, 2016, Cisco was alerted to information posted online by the Shadow Brokers group, which claimed to possess disclosures from the Equation Group. The posted materials included exploits for firewall products from multiple vendors. Articles included information regarding the BENIGNCERTAIN exploit potentially being used to exploit legacy Cisco PIX firewalls.
Based on the Shadow Brokers disclosure, Cisco started an investigation on other products that could be impacted by a vulnerability similar to BENIGNCERTAIN.
Cisco Product Security Incident Response Team (PSIRT) is aware of exploitation of the vulnerability for some Cisco customers who are running the affected platforms.
-
The exploit of this vulnerability was publicly disclosed by the alleged Shadow Brokers group for Cisco PIX.
Based on the Shadow Brokers disclosure, Cisco started an investigation on other products that could be impacted by a vulnerability similar to BENIGNCERTAIN.
The vulnerability on Cisco IOS, Cisco IOS XE, and Cisco IOS XR was found by an internal security testing team within Cisco.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.3 Updated the Affected Products and Vulnerable Products sections. Affected Products and Vulnerable Products Interim 2016-October-05 1.2 Updated the Affected Products section. Affected Products Interim 2016-September-20 1.1 Updated the Affected Products section. Affected Products Interim 2016-September-19 1.0 Initial public release. - Interim 2016-September-16
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.