SymptomsÂ
There is IKE v1 vulnerability found and it lists severity level high.
Based on Cisco documentation,
Cisco IOS Software, IOS-XE Software, and IOS-XR Software contains a vulnerability when processing a specially crafted IP version 4 (IPv4) or IP version 6 (IPv6) packet. This vulnerability can be exploited remotely without authentication and without end-user interaction. Successful exploitation of this vulnerability could allow information disclosure, which enables an attacker to learn information about the affected device and network.
The attack vectors for exploitation are through IPv4 and IPv6 packets using the following protocols and ports:
- IKE using UDP port 500
- GDOI using UDP port 848
- IKE NAT-T using UDP port 4500
This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2016-6415.
- GDOI NAT-T using UDP port 4848
Some Commands to verify ports:
show control-plane host open-ports | i 500
show control-plane host open-ports | i 4500
show control-plane host open-ports | i 848
show control-plane host open-ports | i 4848
sh ip sockets | i 500
sh ip sockets | i 4500
sh ip sockets | i 848
sh ip sockets | i 4848
show udp | i 500
show udp | i 4500
show udp | i 848
show udp | i 4848
router#show run | include crypto map|tunnel protection ipsec|crypto gdoi
router#show ip sock
router#show ip sockets | inc 500
 17    --listen--     12.8.12.222   500  0  0 1011  0
 17(v6)  --listen--     FE80::1      500  0  0 20011  0
 17    --listen--     12.8.12.222  4500  0  0 1011  0
 17(v6)  --listen--     FE80::1     4500  0  0 20011  0
Solution:
There are more details from Cisco Security Advisory, but basically there is no workaround for it.
"Workarounds
There are no workarounds for this vulnerability.Disable IKEv1 will limit the exposure. But if the vpn (ikev1) is mandatory service , adding an access control list on the Internet facing interfaces to block udp 4500 and 500 from all except selected trusted peers. This will lock your IKEv1 session down and not allow unsolicited IKEv1 packet.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
Administrators are advised to monitor affected systems."
interface GigabitEthernet0/0
description Internet
ip address 35.11.11.11 255.255.255.248
ip access-group tACL-Policy in
ip accounting output-packets
ip access-list extended tACL-Policy permit udp host 16.16.13.14 host 35.11.11.11 eq isakmp permit udp host 16.16.13.14 host 35.11.11.11 eq 848 permit udp host 16.16.13.14 host 35.11.11.11 eq non500-isakmp permit udp host 16.16.13.14 host 35.11.11.11 eq 4848 deny udp any host 35.11.11.11 eq isakmp deny udp any host 35.11.11.11 eq 848 deny udp any host 35.11.11.11 eq non500-isakmp deny udp any host 35.11.11.11 eq 4848 permit ip any any
Verify:
We can use ike-scan to verify the configuration. here is the latest 1.9 download link
Source distribution:Â ike-scan-1.9.tar.gz
Windows binary:Â ike-scan-win32-1.9.zip
ike-scan is a command-line IPSec VPN Scanner & Testing Tool for discovering, fingerprinting and testing IPsec VPN systems. It constructs and sends IKE Phase-1 packets to the specified hosts, and displays any responses that are received.
Before apply the access-list
C:\Tools\ike-scan-win32-1.9>ike-scan.exe --sport=0 35.11.11.11 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 35.11.11.11 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=70dd9f5de5a9509e) Ending ike-scan 1.9: 1 hosts scanned in 0.052 seconds (19.23 hosts/sec). 0 returned handshake; 1 returned notifyC:\Tools\ike-scan-win32-1.9>
After apply the access-list
C:\Tools\ike-scan-win32-1.9>ike-scan.exe --sport=0 35.11.11.11 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.441 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify C:\Tools\ike-scan-win32-1.9>
Reference:
- IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products
- Ike-scan Frequently Asked Questions
No comments:
Post a Comment