Related Vulnerabilities: CVE-2014-2108

A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device that would lead to a denial of service (DoS) condition. The vulnerability is due to how an affected device processes certain malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device to be processed. An exploit could allow the attacker to cause a reload of the affected device that would lead to a DoS condition. Although IKEv2 is automatically enabled on Cisco IOS Software and Cisco IOS XE Software devices when the Internet Security Association and Key Management Protocol (ISAKMP) is enabled, the vulnerability can be triggered only by sending a malformed IKEv2 packet. Only IKEv2 packets can trigger this vulnerability. Cisco has released software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ikev2 Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html

Source

Summary

A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device that would lead to a denial of service (DoS) condition.

The vulnerability is due to how an affected device processes certain malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device to be processed. An exploit could allow the attacker to cause a reload of the affected device that would lead to a DoS condition.

Although IKEv2 is automatically enabled on Cisco IOS Software and Cisco IOS XE Software devices when the Internet Security Association and Key Management Protocol (ISAKMP) is enabled, the vulnerability can be triggered only by sending a malformed IKEv2 packet.

Only IKEv2 packets can trigger this vulnerability.

Cisco has released software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ikev2

Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.

Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html

Affected Products

Vulnerable Products
Although only IKEv2 packets can be used to trigger this vulnerability, devices that are running Cisco IOS Software or Cisco IOS XE Software are vulnerable when ISAKMP is enabled.

A device does not need to be configured with any IKEv2-specific features to be vulnerable.

A number of features use IKEv2, including different types of VPNs such as the following:

LAN-to-LAN VPN

Remote access VPN (excluding SSLVPN)

Dynamic Multipoint VPN (DMVPN)

FlexVPN

The preferred method to determine whether a device has been configured for IKE is to issue the show ip sockets or show udp EXEC command. If the device has UDP port 500 or UDP port 4500 open, it is processing IKE packets.

In the following example, the device is processing IKE packets in UDP port 500 and UDP port 4500, using either IP version 4 (IPv4) or IP version 6 (IPv6):

router# show udp
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 192.168.130.21 500 0 0 1001011 0
17(v6) --listen-- UNKNOWN 500 0 0 1020011 0
17 --listen-- 192.168.130.21 4500 0 0 1001011 0
17(v6) --listen-- UNKNOWN 4500 0 0 1020011 0
!--- Output truncated
router#

To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.

The following example identifies a Cisco product that is running Cisco IOS Software Release 15.2(4)M5 with an installed image name of C3900-UNIVERSALK9-M:

Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), 15.2(4)M5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 13-Sep-13 16:44 by prod_rel_team

!--- output truncated

Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable

Cisco IOS XR Software is not affected by this vulnerability.

Cisco ASA 5500 Series Adaptive Security Appliance is not affected by this vulnerability.

No other Cisco products are currently known to be affected by this vulnerability.

Details

The IKEv2 protocol is used in the IP Security (IPsec) protocol suite to negotiate cryptographic attributes that will be used to encrypt or authenticate the communication session. These attributes include cryptographic algorithm, mode, and shared keys. The result of IKE is a shared session secret that will be used to derive cryptographic keys.

Cisco IOS Software and Cisco IOS XE Software support IKEv2 for IPv4 and IPv6 communications. IKEv2 communication can use the following UDP ports:
- UDP port 500
- UDP port 4500, Network Address Translation (NAT) Traversal (NAT-T)
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device that would lead to a denial of service (DoS) condition.

The vulnerability is due to how an affected device processes certain malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device to be processed. An exploit could allow the attacker to cause a reload of the affected device that would lead to a DoS condition.

Although IKEv2 is automatically enabled on Cisco IOS Software and Cisco IOS XE Software when ISAKMP is enabled, the vulnerability can be triggered only by sending a malformed IKEv2 packet.

Only IKEv2 packets can trigger this vulnerability.

An exploit could cause Cisco IOS Software to reload, leading to a DoS condition.

An attacker could exploit this vulnerability using either IPv4 or IPv6 on any of the listed UDP ports.

This vulnerability is documented in Cisco bug ID CSCui88426 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2014-2108

Workarounds

There are no workarounds to mitigate this vulnerability.

Fixed Software

When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

In February 2014, Cisco announced details of an industry-wide issue with memory components manufactured by a single supplier between 2005 and 2010. Although the majority of Cisco products that use these components are experiencing field failure rates below expected levels, a device reload or power cycle could expose component failures. While there are no known security implications associated with this issue, a subset of the affected products may experience a memory component failure during the software upgrade process. Cisco recommends customers review the related information and product-specific field notices at www.cisco.com/go/memory before making upgrade decisions. Each Field Notice indicates whether the product could experience the memory component failure during a software upgrade.

Cisco IOS Software

The Cisco IOS Software Checker is the quickest method to determine exposure to vulnerabilities in Cisco IOS Software. The tool allows customers to quickly identify Cisco Security Advisories that impact specific Cisco IOS Software releases. Users can initiate a search by selecting releases from the drop-down menu or uploading a file from their local system. The tool is also capable of parsing show version command output. Results can be customized by searching against all previously published Cisco Security Advisories, a specific publication, or all the advisories in the March 2014 Bundled Publication.

Customers can also use the Cisco IOS Software tables below to determine their exposure. Each row corresponds to a Cisco IOS Software release; if a particular release is vulnerable, the earliest releases that contain the fix are listed in the second column. The third column lists the earliest possible releases that correct all vulnerabilities in this Cisco IOS Software Security Advisory bundled publication.

Expand to View Detailed Fixed Software Information

Major Release	Availability of Repaired Releases
Affected 12.0-Based Releases	First Fixed Release	First Fixed Release for All Advisories in the March 2014 Bundled Publication
There are no affected 12.0 based releases
Affected 12.2-Based Releases	First Fixed Release	First Fixed Release for All Advisories in the March 2014 Bundled Publication
12.2EX	Not vulnerable	Vulnerable; First fixed in Release 15.0SE
12.2EY	Not vulnerable	Releases prior to 12.2(58)EY are vulnerable; Releases 12.2(58)EY and later are not vulnerable. First fixed in Release 15.2S
12.2EZ	Not vulnerable	Releases prior to 12.2(60)EZ are vulnerable; Releases 12.2(60)EZ and later are not vulnerable. First fixed in Release 15.0SE
12.2IRB	Not vulnerable	Vulnerable; First fixed in Release 12.2SRE
12.2IRC	Not vulnerable	Vulnerable; First fixed in Release 12.2SRE
12.2IRD	Not vulnerable	Vulnerable; First fixed in Release 12.2SRE
12.2IRE	Not vulnerable	Vulnerable; First fixed in Release 12.2SRE
12.2IRF	Not vulnerable	Vulnerable; First fixed in Release 12.2SRE
12.2IRG	Not vulnerable	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
12.2IRH	Not vulnerable	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
12.2IRI	Not vulnerable	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
12.2IXG	Not vulnerable	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
12.2IXH	Not vulnerable	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
12.2MC	Not vulnerable	Vulnerable; First fixed in Release 15.1M
12.2MRA	Not vulnerable	Vulnerable; First fixed in Release 12.2SRE
12.2MRB	Not vulnerable	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
12.2SB	Not vulnerable	Releases prior to 12.2(33)SB15 are vulnerable; Releases 12.2(33)SB15 and later are not vulnerable. First fixed in Release 12.2SRE
12.2SCA	Not vulnerable	Vulnerable; First fixed in Release 12.2SCH
12.2SCB	Not vulnerable	Vulnerable; First fixed in Release 12.2SCH
12.2SCC	Not vulnerable	Vulnerable; First fixed in Release 12.2SCH
12.2SCD	Not vulnerable	Vulnerable; First fixed in Release 12.2SCH
12.2SCE	Not vulnerable	Vulnerable; First fixed in Release 12.2SCH
12.2SCF	Not vulnerable	Vulnerable; First fixed in Release 12.2SCH
12.2SCG	Not vulnerable	Vulnerable; First fixed in Release 12.2SCH
12.2SCH	Not vulnerable	12.2(33)SCH2
12.2SE	Not vulnerable	12.2(55)SE9; Available on 31-MAR-14
12.2SEG	Not vulnerable	Releases prior to 12.2(25)SEG4 are vulnerable; Releases 12.2(25)SEG4 and later are not vulnerable. First fixed in Release 15.0SE
12.2SG	Not vulnerable	Releases prior to 12.2(40)SG are vulnerable; Releases 12.2(40)SG and later are not vulnerable.
12.2SGA	Not vulnerable	Not vulnerable
12.2SM	Not vulnerable	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
12.2SQ	Not vulnerable	Not vulnerable
12.2SRA	Not vulnerable	Vulnerable; First fixed in Release 12.2SRE
12.2SRB	Not vulnerable	Vulnerable; First fixed in Release 12.2SRE
12.2SRC	Not vulnerable	Vulnerable; First fixed in Release 12.2SRE
12.2SRD	Not vulnerable	Vulnerable; First fixed in Release 12.2SRE
12.2SRE	Not vulnerable	12.2(33)SRE10
12.2STE	Not vulnerable	Not vulnerable
12.2SV	Not vulnerable	Releases prior to 12.2(29b)SV1 are vulnerable; Releases 12.2(29b)SV1 and later are not vulnerable. Migrate to any release in 12.2SVD
12.2SVD	Not vulnerable	Not vulnerable
12.2SVE	Not vulnerable	Not vulnerable
12.2SW	Not vulnerable	Vulnerable; First fixed in Release 15.1M
12.2SXF	Not vulnerable	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
12.2SXH	Not vulnerable	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
12.2SXI	Not vulnerable	Releases prior to 12.2(33)SXI13 are vulnerable; Releases 12.2(33)SXI13 and later are not vulnerable.
12.2SXJ	Not vulnerable	12.2(33)SXJ7
12.2SY	Not vulnerable	Vulnerable; First fixed in Release 15.0SY
12.2WO	Not vulnerable	Not vulnerable
12.2XNA	Please see Cisco IOS XE Software Availability	Please see Cisco IOS XE Software Availability
12.2XNB	Please see Cisco IOS XE Software Availability	Please see Cisco IOS XE Software Availability
12.2XNC	Please see Cisco IOS XE Software Availability	Please see Cisco IOS XE Software Availability
12.2XND	Please see Cisco IOS XE Software Availability	Please see Cisco IOS XE Software Availability
12.2XNE	Please see Cisco IOS XE Software Availability	Please see Cisco IOS XE Software Availability
12.2XNF	Please see Cisco IOS XE Software Availability	Please see Cisco IOS XE Software Availability
12.2XO	Not vulnerable	Not vulnerable
12.2ZYA	Not vulnerable	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
Affected 12.3-Based Releases	First Fixed Release	First Fixed Release for All Advisories in the March 2014 Bundled Publication
There are no affected 12.3 based releases
Affected 12.4-Based Releases	First Fixed Release	First Fixed Release for All Advisories in the March 2014 Bundled Publication
There are no affected 12.4 based releases
Affected 15.0-Based Releases	First Fixed Release	First Fixed Release for All Advisories in the March 2014 Bundled Publication
15.0EA	Not vulnerable	Not vulnerable
15.0EB	Not vulnerable	Not vulnerable
15.0EC	Not vulnerable	Not vulnerable
15.0ED	Vulnerable; First fixed in Release 15.2E	Vulnerable; First fixed in Release 15.2E
15.0EH	Vulnerable; First fixed in Release 15.2E	Vulnerable; First fixed in Release 15.2E
15.0EJ	15.0(2)EJ1	15.0(2)EJ1
15.0EK	Not vulnerable	Not vulnerable
15.0EX	Cisco IOS XE devices: Please see Cisco IOS XE Software Availability	Cisco IOS XE devices: Please see Cisco IOS XE Software Availability
15.0EY	Vulnerable; First fixed in Release 15.2E Releases up to and including 15.0(1)EY2 are not vulnerable.	Vulnerable; First fixed in Release 15.2E Releases up to and including 15.0(1)EY2 are not vulnerable.
15.0EZ	Vulnerable; First fixed in Release 15.0SE Releases up to and including 15.0(1)EZ3 are not vulnerable.	15.0(1)EZ2
15.0M	Not vulnerable	Vulnerable; First fixed in Release 15.1M
15.0MR	Not vulnerable	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
15.0S	Not vulnerable Cisco IOS XE devices: Please see Cisco IOS XE Software Availability	Vulnerable; First fixed in Release 15.2S Cisco IOS XE devices: Please see Cisco IOS XE Software Availability
15.0SE	15.0(2)SE6; Available on 30-MAY-14 Releases up to and including 15.0(1)SE3 are not vulnerable.	15.0(2)SE6; Available on 30-MAY-14
15.0SG	Not vulnerable Cisco IOS XE devices: Please see Cisco IOS XE Software Availability	Not vulnerable Cisco IOS XE devices: Please see Cisco IOS XE Software Availability
15.0SQA	Cisco IOS XE devices: Please see Cisco IOS XE Software Availability	Cisco IOS XE devices: Please see Cisco IOS XE Software Availability
15.0SQB	Cisco IOS XE devices: Please see Cisco IOS XE Software Availability	Cisco IOS XE devices: Please see Cisco IOS XE Software Availability
15.0SY	Not vulnerable	15.0(1)SY6
15.0XA	Not vulnerable	Vulnerable; First fixed in Release 15.1M
15.0XO	Cisco IOS XE devices: Please see Cisco IOS XE Software Availability	Cisco IOS XE devices: Please see Cisco IOS XE Software Availability
Affected 15.1-Based Releases	First Fixed Release	First Fixed Release for All Advisories in the March 2014 Bundled Publication
15.1EY	Not vulnerable	Vulnerable; First fixed in Release 15.2S
15.1GC	Vulnerable; First fixed in Release 15.1M	Vulnerable; First fixed in Release 15.1M
15.1M	15.1(4)M8; Available on 26-MAR-14	15.1(4)M8; Available on 26-MAR-14
15.1MR	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
15.1MRA	15.1(3)MRA3	15.1(3)MRA3
15.1S	Vulnerable; First fixed in Release 15.2S Cisco IOS XE devices: Please see Cisco IOS XE Software Availability	Vulnerable; First fixed in Release 15.2S Cisco IOS XE devices: Please see Cisco IOS XE Software Availability
15.1SG	15.1(2)SG4; Available on 04-JUN-14 Cisco IOS XE devices: Please see Cisco IOS XE Software Availability	15.1(2)SG4; Available on 04-JUN-14 Cisco IOS XE devices: Please see Cisco IOS XE Software Availability
15.1SNG	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
15.1SNH	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
15.1SNI	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
15.1SY	15.1(1)SY3; Available on 28-MAR-14 15.1(2)SY2	15.1(1)SY3; Available on 28-MAR-14 15.1(2)SY2
15.1T	Vulnerable; First fixed in Release 15.1M	Vulnerable; First fixed in Release 15.1M
15.1XO	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
Affected 15.2-Based Releases	First Fixed Release	First Fixed Release for All Advisories in the March 2014 Bundled Publication
15.2E	15.2(1)E2	15.2(1)E2
15.2EX	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
15.2EY	Vulnerable; First fixed in Release 15.2E	Vulnerable; First fixed in Release 15.2E
15.2GC	15.2(4)GC1	15.2(4)GC1
15.2JA	Not vulnerable	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
15.2JAX	Not vulnerable	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
15.2JB	Not vulnerable	15.2(4)JB3s 15.2(4)JB4
15.2JBX	Not vulnerable	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
15.2JN	Not vulnerable	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
15.2M	15.2(4)M6; Available on 26-MAR-14	15.2(4)M6; Available on 26-MAR-14
15.2S	15.2(2)S0a 15.2(4)S5 Cisco IOS XE devices: Please see Cisco IOS XE Software Availability	15.2(4)S5 Cisco IOS XE devices: Please see Cisco IOS XE Software Availability
15.2SA	Not vulnerable	Not vulnerable
15.2SNG	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
15.2SNH	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.
15.2SNI	Vulnerable; contact your support organization per the instructions in Obtaining Fixed Software section of this advisory.	Vulnerable; First fixed in Release 15.3S
15.2T	Vulnerable; First fixed in Release 15.2M	Vulnerable; First fixed in Release 15.2M
Affected 15.3-Based Releases	First Fixed Release	First Fixed Release for All Advisories in the March 2014 Bundled Publication
15.3M	15.3(3)M1	15.3(3)M2
15.3S	15.3(3)S1 Cisco IOS XE devices: Please see Cisco IOS XE Software Availability	15.3(3)S2 Cisco IOS XE devices: Please see Cisco IOS XE Software Availability
15.3T	15.3(1)T4; Available on 30-MAY-14 15.3(2)T2	15.3(2)T3
Affected 15.4-Based Releases	First Fixed Release	First Fixed Release for All Advisories in the March 2014 Bundled Publication
There are no affected 15.4 based releases

Cisco IOS XE Software

For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes.

Cisco IOS XE Software Release	First Fixed Release	First Fixed Release for All Advisories in the March 2014 Cisco IOS Software Security Advisory Bundled Publication
2.1.x	Not vulnerable	Not vulnerable
2.2.x	Not vulnerable	Not vulnerable
2.3.x	Not vulnerable	Not vulnerable
2.4.x	Not vulnerable	Not vulnerable
2.5.x	Not vulnerable	Not vulnerable
2.6.x	Not vulnerable	Not vulnerable
3.1.xS	Not vulnerable	Not vulnerable
3.1.xSG	Not vulnerable	Not vulnerable
3.2.xS	Vulnerable; migrate to 3.7.5S or later.	Vulnerable; migrate to 3.7.5S or later.
3.2xSE	Not vulnerable	Not vulnerable
3.2.xSG	Not vulnerable	Not vulnerable
3.2.xXO	Not vulnerable	Not vulnerable
3.2.xSQ	Not vulnerable	Not vulnerable
3.3.xS	Vulnerable; migrate to 3.7.5S or later.	Vulnerable; migrate to 3.7.5S or later.
3.3.xSE	Not vulnerable	Not vulnerable.
3.3.xSG	Vulnerable; migrate to 3.5.2E.	Vulnerable; migrate to 3.5.2E.
3.3.xXO	Vulnerable; migrate to 3.6.0E (available May 2014).	Vulnerable; migrate to 3.6.0E (available May 2014).
3.3.xSQ	Not vulnerable	Not vulnerable
3.4.xS	Vulnerable; migrate to 3.7.5S or later.	Vulnerable; migrate to 3.7.5S or later.
3.4.xSG	Vulnerable; migrate to 3.5.2E.	Vulnerable; migrate to 3.5.2E.
3.5.xS	Vulnerable; migrate to 3.5.2E.	Vulnerable; migrate to 3.5.2E.
3.5.xE	3.5.2E	3.5.2E
3.6.xS	Vulnerable; migrate to 3.7.5S or later.	Vulnerable; migrate to 3.7.5S or later.
3.6.xE	Not vulnerable.	3.6.0E (available May 2014)
3.7.xS	3.7.5S	3.7.5S
3.8.xS	Vulnerable; migrate to 3.10.1S or later.	Vulnerable; migrate to 3.10.2S or later.
3.9.xS	Vulnerable; migrate to 3.10.1S or later.	Vulnerable; migrate to 3.10.2S or later.
3.10.xS	3.10.1S	3.10.2S
3.11.xS	Not vulnerable	Not vulnerable

Cisco IOS XR Software

Cisco IOS XR Software is not affected by the vulnerability that is disclosed in this document.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

This vulnerability was discovered by Cisco during internal security testing.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Revision History

Revision 1.0 2014-March-26 Initial public release.

Show Less

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.

Feedback

Leave additional feedback

Cisco IOS Software Internet Key Exchange Version 2 Denial of Service Vulnerability

Summary

Affected Products

Vulnerable Products

Products Confirmed Not Vulnerable

Details

Workarounds

Fixed Software

Cisco IOS Software

Cisco IOS XE Software

Cisco IOS XR Software

Exploitation and Public Announcements

Cisco Security Vulnerability Policy

Subscribe to Cisco Security Notifications

Action Links for This Advisory

Related to This Advisory

URL

Revision History

Legal Disclaimer

Feedback

Vulmon Search

About

Products

Connect