Summary

• A malformed Internet Key Exchange (IKE) packet may cause the Cisco Catalyst 6500 Series Switch or the Cisco 7600 Series Internet Router to reload. Only devices running Cisco IOS software with Crypto support are affected.

  This vulnerability is documented as Cisco bug ID CSCed30113. There are workarounds available to mitigate the effects of this vulnerability.

  Cisco has made free software available to address this vulnerability for all affected customers.

  The title of this advisory has been updated from "Cisco IPSec VPN Services Module Malformed IKE Packet Vulnerability" to the current title due to a change in the products affected no longer being limited to those devices with a VPN Services Module installed.

  This advisory will be posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040408-vpnsm.

Affected Products

• This section provides details on affected products.

  Vulnerable Products

  The vulnerability is only present if a Crypto feature set is being used. Customers can verify if they are running a Crypto feature set via the show version command:

       Router#show version
       Cisco Internetwork Operating System Software 
       IOS (tm) c6sup2_rp Software (c6sup2_rp-PK9S-M), Version 12.2(18)SXD3, RELEASE SOFTWARE (fc1)
       Technical Support: http://www.cisco.com/techsupport
       Copyright (c) 1986-2004 by cisco Systems, Inc.
       Compiled Thu 09-Dec-04 19:35 by pwade
       Image text-base: 0x4002100C, data-base: 0x422E8000

  Software that contains the 'K9' designation, as in the following line, includes the Crypto feature set:

  IOS (tm) c6sup2_rp Software (c6sup2_rp-PK9S-M), Version 12.2(18)SXD3, RELEASE SOFTWARE (fc1)

  All Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series Internet Router hardware running the following Cisco IOS releases are affected by this vulnerability.

  Release Train	Affected Releases
  12.2SXA	earlier than 12.2(17b)SXA
  12.2SXB	earlier than 12.2(17d)SXB
  12.2SX	12.2(17a)SX through 12.2(17a)SX4
  12.2SY	earlier than 12.2(14)SY3

  Products Confirmed Not Vulnerable

  Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Internet Routers running Cisco IOS release train 12.1E are not affected by this vulnerability.

  To determine your software revision, type show version at the command line prompt.

  No other Cisco products are currently known to be affected by this vulnerability.

Details

• A malformed IKE packet may cause an affected device to reload.

  This vulnerability could be used to conduct a Denial of Service (DoS) attack against a vulnerable device. This vulnerability is known to only exist in the modified IKE code which was incorporated in the 12.2SXA, 12.2SXB, 12.2SX and 12.2SY Cisco IOS software release trains.

  Cisco IOS devices with Crypto support will process IKE messages by default. More information can be found here: http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_c2g.html

  The Internetworking Terms and Cisco Systems Acronyms online guides can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/.

  This vulnerability is documented in the Cisco Bug Toolkit as Bug ID CSCed30113 ( registered customers only) .

Workarounds

• The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed.

  Customers that do not require IPSec functionality on their devices can use the command 'no crypto isakmp enable' in configuration mode to disable processing of IPSec and eliminate their exposure.

  As a possible mitigation, access-lists could be applied on the affected IOS platforms to limit the source IP addresses permitted to establish IPSec sessions to the device.

Fixed Software

• This vulnerability has been fixed in the following Cisco IOS releases for the Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series Internet Router hardware:

  Release Train	Fixed Releases
  12.2SXA	12.2(17b)SXA and later
  12.2SXB	12.2(17d)SXB and later
  12.2SX	Migrate to 12.2(17d)SXB or later
  12.2SY	12.2(14)SY3 and later

  Please refer to these documents for more information:

  • 12.2(17b)SXA Release Notes: http://www.cisco.com/en/US/prod/collateral/routers/ps368/prod_bulletin09186a00801df1dd_ps5014_Products_Bulletin.html
    
  • 12.2(17d)SXB Release Notes: http://www.cisco.com/en/US/products/ps6017/prod_bulletin09186a00802078b5.html
    
  • 12.2(14)SY3 Release Notes: http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/prod_bulletin09186a008017dc51.html
    

  When considering software upgrades, please also consult http://www.cisco.com/en/US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") for assistance.

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

  This vulnerability was reported to Cisco PSIRT by a customer.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040408-vpnsm

Revision History

• Revision 2.0	2005-March-30	Updated the advisory to reflect devices without the VPNSM may be affected. Added 12.2(17d)SX as an affected release train. Added information for determining the presence of the crypto feature set.
  Revision 1.2	2005-January-4	Updated the 12.2(14)SY03 Release Notes URL in the Software Fixes and Versions section.
  Revision 1.1	2004-April-8	Removed 12.2ZA as a vulnerable Cisco IOS software release train.
  Revision 1.0	2004-April-8	Initial public release.

  Show Less