Cisco Products IKEv2 Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Internet Key Exchange version 2 (IKEv2) feature of Cisco IOS Software, Cisco IOS XE Software, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, and Cisco Secure Firewall Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to trigger a memory leak, leading to a DoS condition on the affected device. The issue arises from improper parsing of IKEv2 packets. Exploitation involves sending crafted IKEv2 packets to the device. In the case of Cisco IOS and IOS XE Software, the attack could cause the device to reload, creating a DoS condition. For Cisco Secure Firewall ASA and FTD Software, the exploitation could partially exhaust system memory, causing instability such as the inability to establish new IKEv2 VPN sessions. Recovery from this condition requires a manual reboot of the device.

Impact

Exploitation of this vulnerability causes a memory leak, leading to a denial-of-service condition on the affected device. In Cisco IOS and IOS XE Software, the vulnerability can cause the device to reload, disrupting services. In Cisco Secure Firewall ASA and FTD Software, the memory leak can destabilize the system, particularly by interfering with IKEv2 VPN session establishment.

Remediation

Cisco has released software updates to address this vulnerability. Instructions for upgrading to the fixed software release can be found on the Cisco Security Advisory page for this vulnerability.