Cisco has reported a security hole with high priority in its IOS software. The CVE-2016-6415 is found in IKEv1 (Internet Key Exchange version 1) packet processing code that is built in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software. Some Cisco PIX firewalls are also reported as vulnerable to CVE-2016-6415.
The Internet Key Exchange (IKE) is used to guarantee the security of VPN (virtual private network) adjustment and the remote host or network access. IKE is utilized in the Internet Protocol Security (IPsec) protocol suite. The vulnerability allows remote attackers to exploit it and retrieve memory content. This can lead to leaking of confidential information.
All devices configured to accept IKEv1 security negotiation requests could be hacked when an attacker send a crafted IKEv1 packet to them. The number of spoofed packets is limited because the attacker needs to either have or receive access to the primary response from the vulnerable device.The vulnerability can be exploited due to poor condition checks of the code that controls the IKEv1 security negotiation requests. The CVE is exploitable through IPv4 or IPv6 ports. IKEv2 is not affected.
The company announced that software updates that address this vulnerability would be released soon.
Affected Products by Vulnerability CVE-2016-6415
The vulnerability affects Cisco IOS XR Software 4.3.x to 5.2.x., Cisco IOS XR versions 5.3.x and newer are not damaged by this vulnerability. The list also includes all versions of Cisco IOS XE Software. Cisco PIX firewalls are also reported as vulnerable to CVE-2016-6415. This includes PIX versions 6.x and prior.
Cisco’s investigation on this case is ongoing, and the company will release any new information about the impact of this vulnerability. This may concern which products are infected and what the implications for each product are.
A variety of VPN applications use IKEv1. This includes:
- LAN-to-LAN VPN
- Remote access VPN (excluding SSLVPN)
- Dynamic Multipoint VPN (DMVPN)
- Group Domain of Interpretation (GDOI)
The company published instructions how to determine if a device is configured for IKE.