-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Internet Key Exchange
Resource Exhaustion Vulnerability
Advisory ID: cisco-sa-20090923-ipsec
Revision 1.0
For Public Release 2009 September 23
+---------------------------------------------------------------------
Summary
======
Cisco IOS=AE devices that are configured for Internet Key Exchange
(IKE) protocol and certificate based authentication are vulnerable to
a resource exhaustion attack. Successful exploitation of this
vulnerability may result in the allocation of all available Phase 1
security associations (SA) and prevent the establishment of new IPsec
sessions.
Cisco has released free software updates that address this
vulnerability.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ipsec.shtml
Note: The September 23, 2009, Cisco IOS Security Advisory bundled
publication includes eleven Security Advisories. Ten of the
advisories address vulnerabilities in Cisco IOS Software, and one
advisory addresses a vulnerability in Cisco Unified Communications
Manager. Each advisory lists the releases that correct the
vulnerability or vulnerabilities detailed in the advisory. The
following table lists releases that correct all Cisco IOS Software
vulnerabilities that have been published on September 23, 2009, or
earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090923-bundle.shtml
Individual publication links are in "Cisco Event Response: Semiannual
Cisco IOS Software Advisory Bundled Publication" at the following
link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep09.html
Affected Products
================
Cisco IOS devices that are configured for IKE and certificate based
authentication are affected.
Vulnerable Products
+------------------
IKE is enabled by default if IPsec is used. Cisco IOS devices that
are configured for IKE will listen on UDP port 500, UDP port 4500 if
the device is configured for NAT Traversal (NAT-T), or UDP ports 848
or 4848 if the device is configured for Group Domain of
Interpretation (GDOI). The following outputs show a router that is
listening on UDP port 500:
Router#show ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
....
17 --listen-- 192.168.66.129 500 0 0 11 0
....
Or
Router-#show udp
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 192.0.2.1 500 0 0 1011 0
17(v6) --listen-- --any-- 500 0 0 20011 0
Router#
IKE configurations that are performing certificate based
authentication will display "Rivest-Shamir-Adleman Signature" as the
authentication method in the output of the "show crypto isakmp policy"
command. This output is shown in the following example:
Router#show crypto isakmp policy
Global IKE policy
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
"show version" command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the "show version" command or may provide
different output.
The following example identifies a Cisco 6500 Series device that is
running Cisco IOS Software release 12.2(18)SXF7 with an installed
image name of s72033_rp-IPSERVICESK9_WAN-M:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(18)SXF7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright =A9) 1986-2006 by cisco Systems, Inc.
Compiled Thu 23-Nov-06 06:42 by kellythw