A Vulnerability in Multiple Cisco Products Could Allow for Information Disclosure

ITS Advisory Number: 
2016-160
Date(s) Issued: 
Wednesday, September 21, 2016
Subject: 
A Vulnerability in Multiple Cisco Products Could Allow for Information Disclosure
Overview: 

A vulnerability has been discovered in the Internet Key Exchange version 1 (IKEv1) packet processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software.  This vulnerability could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.

Systems Affected: 
  • Cisco IOS XR 4.3.x

  • Cisco IOS XR 5.0.x

  • Cisco IOS XR 5.1.x

  • Cisco IOS XR 5.2.x

  • Cisco IOS XE 3.1S

  • Cisco IOS XE 3.2S

  • Cisco IOS XE 3.3S

  • Cisco IOS XE 3.3SG

  • Cisco IOS XE 3.3XO

  • Cisco IOS XE 3.4S

  • Cisco IOS XE 3.4SG

  • Cisco IOS XE 3.5E

  • Cisco IOS XE 3.5S

  • Cisco IOS XE 3.6E

  • Cisco IOS XE 3.6S

  • Cisco IOS XE 3.7E

  • Cisco IOS XE 3.7S

  • Cisco IOS XE 3.8E

  • Cisco IOS XE 3.8S

  • Cisco IOS XE 3.9E

  • Cisco IOS XE 3.9S

  • Cisco IOS XE 3.12S

  • Cisco IOS XE 3.13S

  • Cisco IOS XE 3.14S

  • Cisco IOS XE 3.15S

  • Cisco IOS XE 3.16S

  • Cisco IOS XE 3.17S

  • Cisco IOS XE 3.18S

  • Cisco IOS XE 16.1

  • Cisco IOS XE 16.2

  • Cisco IOS XE 16.3

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

A vulnerability has been discovered in the Internet Key Exchange version 1 (IKEv1) packet processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software.  The IKE protocol is used in the Internet Protocol Security (IPsec) protocol suite to negotiate cryptographic attributes that will be used to encrypt or authenticate the communication session. These attributes include cryptographic algorithm, mode, and shared keys. The end result of IKE is a shared session secret that will be used to derive cryptographic keys. A successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information. Details are as follows:



Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software supports IKE for IPv4 and IPv6 communications. IKE communication can use any of the following UDP ports:

  • UDP port 500
  • UDP port 4500, NAT Traversal (NAT-T)
  • UDP port 848,  Group Domain of Interpretation (GDOI)
  • UDP port 4848, GDOI NAT-T



An attacker could exploit this vulnerability using either IPv4 or IPv6 on any of the listed UDP ports. This vulnerability can only be exploited by IKEv1 traffic being processed by a device configured for IKEv1. Transit IKEv1 traffic cannot trigger this vulnerability. IKEv2 is not affected. Spoofing of packets that could exploit this vulnerability is limited because the attacker needs to either receive or have access to the initial response from the vulnerable device.

Actions: 
  • Currently there are no workarounds for this vulnerability.
  • Administrators are advised to monitor affected systems:
    • Implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
    • Cisco IPS Signatures 7699-0 and Snort SIDs 40220(1), 40221(1), and 40222(1) can detect attempts to exploit this vulnerability