Cisco plugs another 'Shadow Brokers' hole

Key exchange 0-day exploited in the wild

NSA

Cisco's post-Shadow Brokers security review has uncovered an IKEv1 vulnerability that can leak memory contents of its (deprecated) PIX firewalls and various IOS environments.

Don't delay the patch, because the investigation found the bug was exploited in “some Cisco customers”.

It attributes the bug to “insufficient condition checks” during IKEv1 negotiation.

The advisory explains: “An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information.”

IKE – Internet Key Exchange – is the part of IPSec that sets up a security association between two endpoints. Cisco uses it for LAN-to-LAN VPNs, non-SSL remote access VPNs, dynamic multipoint VPNs, or Group Domain of Interpretation (GDOI) key management defined in the Internet Engineering Task Force's https://tools.ietf.org/html/rfc6407 RFC 6407.

Any product running IOS XR 4.3.x, 5.0.x, 5.1.x or 5.2.x is vulnerable, along with 78 IOS variants and all versions of IOS XE.

Users are only at risk if their system is using IKE. If a system has UDP ports 500, 4500, 848, or 4848 open, it is processing IKE packets and needs a patch. ®


Biting the hand that feeds IT © 1998–2017