Although only IKEv2 packets can be used to trigger these vulnerabilities, devices that are running Cisco IOS Software or Cisco IOS XE Software are vulnerable when IKEv1 or ISAKMP is enabled.
A number of features use IKEv2, including different types of VPNs such as the following:
- LAN-to-LAN VPN
- Remote access VPN (excluding SSLVPN)
- Dynamic Multipoint VPN (DMVPN)
- Group Encrypted Transport VPN (GETVPN)
The preferred method to determine whether a device has been configured for IKE is to issue the show ip sockets
or show udp
EXEC command. If the device has UDP port 500 or UDP port 4500 open, it is processing IKE packets.
In the following example, the device is processing IKE packets on UDP port 500 and UDP port 4500, using either IP version 4 (IPv4) or IP version 6 (IPv6):
router# show udp
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 192.168.130.21 500 0 0 1001011 0
17(v6) --listen-- UNKNOWN 500 0 0 1020011 0
17 --listen-- 192.168.130.21 4500 0 0 1001011 0
17(v6) --listen-- UNKNOWN 4500 0 0 1020011 0
!--- Output truncated
Cisco IOS Software will also process IKE packets on UDP port 848 (GDOI), using either IPv4 or IPv6 when the G-IKEv2 feature for GETVPN has been enabled.
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software. The image name displays in parentheses, followed by the Cisco IOS Software release number and release name. Other Cisco devices do not have the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.2(4)M5 with an installed image name of C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.2(4)M5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 13-Sep-13 16:44 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software Reference Guide.
Cisco IOS-XR is not affected by these vulnerabilities.
Cisco NX-OS is not affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these vulnerabilities.