Cisco IOS and IOS XE Software Internet Key Exchange Version 2 Denial of Service Vulnerability

Vulnerability

A denial of service vulnerability exists in the Internet Key Exchange Version 2 (IKEv2) implementation in Cisco IOS and IOS XE Software. The issue is due to incorrect handling of crafted IKEv2 SA-Init packets, which can cause the device to reach maximum incoming negotiation limits. An unauthenticated, remote attacker can prevent IKEv2 from establishing new security associations. Affected versions include various releases of Cisco IOS and IOS XE Software prior to the fixed versions indicated in the Cisco Security Advisory [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted IKEv2 SA-Init packets to the targeted device from an unauthenticated, remote network position. No prior authentication or special access is required. The attacker simply sends a sequence of specially crafted packets, which the device processes incorrectly, leading to exhaustion of the negotiation limit.

Impact

Successful exploitation results in a denial of service condition where the affected device is unable to establish new IKEv2 security associations. This can disrupt VPN services or other IKEv2-dependent communications, impacting availability. The confidentiality or integrity of existing associations is not directly affected, but the ability to create new encrypted tunnels is blocked until the device is recovered or the attack stops.

Mitigation

Cisco has released free software updates to address this vulnerability. Customers should upgrade to the fixed software versions indicated in the Cisco Security Advisory [1]. There are no workarounds available that mitigate this issue. The advisory provides detailed instructions for obtaining and installing the updates.