Determine if the Device is Running an Affected Version of Cisco IOS Software
This vulnerability affects the 15.1GC, 15.1T, and 15.1XB Cisco IOS Software release trains. No other Cisco IOS Software release trains are affected.
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS and NX-OS Software Reference Guide" at http://www.cisco.com/web/about/security/intelligence/ios-ref.html.
Determine if the Cisco IOS Software Version Supports IKEv2
Cisco IOS Software introduced support for IKEv2 in software version 15.1(1)T for select platforms. To determine if the device has an image that supports IKEv2, log into the device and execute the command line interface (CLI) command show subsys | include ikev2
. If the output contains ikev2 Library
then the device has support for IKEv2. If the output does not contain ikev2 Library
then the device does not support IKEv2. In the following example the device has support for IKEv2:
ISR2900#show subsys | include ikev2
In the following example the device does not have support for IKEv2:
ikev2 Library 1.000.001
ikev2_cli_registry Registry 1.000.001
CISCO2821#show subsys | include ikev2
ikev2_cli_registry Registry 1.000.001
Determine if the Device is Configured for IKEv1
A number of features use IKEv1, including different Virtual Private Networks (VPN) such as:
Remote access VPN (excluding SSLVPN)
- Dynamic Multipoint VPN (DMVPN)
- Group Domain of Interpretation (GDOI)
There are two methods to determine if a device is configured for IKEv1:
Determine if IKE Ports are Open on a Running Device
- Determine if IKE ports are open on a running device
- Determine if IKEv1 features are included in the device configuration
The preferred method to determine if a device has been configured for IKE is to issue the
show udp CLI command. If the device has UDP port 500, UDP port 4500, UDP port 848, or UDP port 4848 open, it is processing IKE packets.
In the following example, the device is configured to process IKE packets on UDP port 500 and UDP port 4500,
using either IPv4 or IPv6:
Determine if IKEv1 Features are included in the Device Configuration
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- --any-- 1975 0 0 1000001 0
17 --listen-- 192.168.100.1 500 0 0 1001011 0
17(v6) --listen-- FD80::1 500 0 0 1020011 0
17 --listen-- 192.168.100.1 4500 0 0 1001011 0
17(v6) --listen-- FD80::1 4500 0 0 1020011 0
To determine if a Cisco IOS device configuration is vulnerable, the
administrator needs to determine whether there is at least one configured
feature that uses IKE. This can be achieved by using the
show run | include crypto map|tunnel protection ipsec|crypto gdoi
enable mode command.
If the output of this command contains either tunnel protection ipsec,
or, crypto gdoi
then the device contains an IKE configuration. If the output of this command contains crypto map,
check that the crypto map is configured as ipsec-isakmp
The following example shows a device that has been configured for IKE:
router# show run | include crypto map|tunnel protection ipsec|crypto gdoi
crypto map CM 100 ipsec-isakmp
crypto map CM
Cisco devices that are running an affected version of Cisco IOS Software which has support for IKEv2 are not affected, regardless if IKEv1 is configured or not.
The following products have support for both IKEv1 and IKEv2 and are confirmed not affected by this vulnerability:
- Cisco ASR 5000 Series Small Cell Gateway
- Cisco Access Service Network (ASN) Gateway
- Cisco ePDG (On ASR5000)
- The SAMI based Wireless Security Gateway (WSG).
- Cisco NX-OS Software
- Cisco ASA Software
- Cisco AnyConnect
- Cisco CGR 1000 routers
No other Cisco products are currently known to be affected by this vulnerability.