Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
285
Views
0
Helpful
0
Replies

Cisco IOS Software Internet Key Exchange Vulnerability

Guillaume Grayo
Level 1
Level 1

‎11-18-2014 03:38 AM - edited ‎03-20-2019 08:22 PM

Hello,

 

I investigate on a potential vulnerability of IKE on my router, but I don't know if I'm impacted or not. My router is a cisco2621XM running in version 12.2(15)T13.

I flowing advisories Cisco IOS Internet Key Exchange Vulnerability on theses link :

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-ike#@ID

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-ike#@ID

And when I check the Software section in advisories, I saw that the version 12.2T is vulnerable and the First fixed is in Release 15.0M. So I have followed the part : vulnerable product of advisories, please fin below the result :

1 ) Determine if IKE Ports are Open on a Running Device ( If the device has UDP port 500, UDP port 4500, UDP port 848, or UDP port 4848 open, it is processing IKE packets.)

Router#sh ip sockets
Proto    Remote      Port      Local       Port  In Out Stat TTY OutputIF
 17    XX.XX.XX.XX    514  XX.XX.XX.XX    55668   0   0   20   0
 17    XX.XX.XX.XX    162  XX.XX.XX.XX    54161   0   0    0   0
 17   --listen--           XX.XX.XX.XX      123   0   0    1   0
 17    XX.XX.XX.XX  45391  XX.XX.XX.XX      161   0   0    1   0
 17   --listen--           XX.XX.XX.XX      162   0   0   11   0
 17   --listen--           XX.XX.XX.XX    53909   0   0   11   0
 17    XX.XX.XX.XX     49  XX.XX.XX.XX       49   0   0   21  66

So, UDP ports 500, 4500, 848, 4848 seems to be not opened.

 

2) Determine if IKE Features are included in the Device Configuration (this can be achieved by using the show run | include crypto map|tunnel protection ipsec|crypto gdoi)

Router#sh run | include crypto map|tunnel protection ipsec|crypto gdoi
crypto map FastEth0-1 130 ipsec-isakmp
crypto map FastEth0-1 135 ipsec-isakmp
crypto map FastEth0-1 136 ipsec-isakmp
crypto map FastEth0-1 140 ipsec-isakmp
 crypto map FastEth0-1
Router#

So, feature IKE are include in configuration of my device.

 

I don’t know what conclude because IKE ports are not open but we have the feature IKE include in the configuration of the router... Someone can say if in my case  we are affected or not by this vulnerability?

Thanks for your answer.

Best Regards,

 

Guillaume

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents