Cisco Products IKEv2 Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Internet Key Exchange Version 2 (IKEv2) feature of Cisco IOS Software, IOS XE Software, Secure Firewall Adaptive Security Appliance (ASA) Software, and Secure Firewall Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to trigger a memory leak, leading to system instability. In Cisco IOS and IOS XE, the vulnerability can cause the device to reload unexpectedly. In Cisco ASA and FTD Software, the vulnerability can partially exhaust system memory, disrupt IKEv2 VPN sessions, and require a manual reboot to recover.

Impact

Exploitation of this vulnerability causes a memory leak, leading to a denial-of-service condition. In Cisco IOS and IOS XE Software, this exploitation causes the device to reload unexpectedly, disrupting all active sessions. In Cisco ASA and FTD Software, the memory leak causes instability by exhausting system resources, particularly affecting IKEv2 VPN sessions, which cannot be reestablished until the device is manually rebooted.

Remediation

Cisco has released software updates that address this vulnerability. Instructions for upgrading Cisco IOS, IOS XE, Secure Firewall ASA, and Secure FTD Software are available in the advisory. Customers with service contracts should obtain the updates through their usual channels. Those without service contracts can contact the Cisco Technical Assistance Center (TAC) for assistance.