Cisco IOS XE IKEv1 Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Internet Key Exchange version 1 (IKEv1) implementation of Cisco IOS XE Software. This issue allows an authenticated, remote attacker with valid IKEv1 VPN credentials to cause a DoS condition by sending crafted IKEv1 messages. The vulnerability arises from improper validation of IKEv1 phase 2 parameters before the IPsec security association creation request is processed by the hardware cryptographic accelerator. Exploitation of this vulnerability can lead to the affected device reloading.

Impact

Exploitation of this vulnerability causes the affected device to reload, disrupting any active connections and services.

Remediation

Cisco has released free software updates to address this vulnerability. Customers with service contracts should obtain these updates through their usual channels. For those without service contracts, upgrades can be requested from the Cisco Technical Assistance Center (TAC).