ISAKMP Scanning and Potential Vulnerabilities

Introduction

As many of you are aware, we scan the Internet on a daily basis for many different protocols.  We have added several new ones over time mostly depending on our own time available to engineer a scan for that protocol.  Occasionally, we add one that is more topical and addresses a recent vulnerability or issue that needs to be focused on sooner rather than later.  ISAKMP falls into that category.

The Vulnerability

To quote Cisco’s PSIRT:

“A vulnerability in IKEv1 packet processing code in Cisco IOS, Cisco IOS XE and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.

The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information.”

Cisco’s statement may be seen in it’s entirety here:  https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1

The Scan is Running Hot and Heavy

We normally tune our scans as tightly as possible to limit the impact on the end users as well as trying to be nice to the general network traffic.  In this case we are not as tuned as we would like to be since we are having to do a full IKE negotiation making our packets almost 2600 bytes in size, at least in the first sets of tests.  With a huge amount of assistance from Cisco we were able to reduce the packet size down to 64 bytes.  Hurray for smart people who actually know the protocol.  So, we’ll be lumbering it out as slowly as possible while still collecting the information so that it can be reported to our customers.  As always you can sign up here for reports if you are not already getting them from us.

You can see the results here for the first day’s worth of scanning.  For more up to date visit the scan stats page.

isakmp_world_current

isakmp_north_america_current

 

isakmp_europe_current

The Limited Happy Ending

If you are effected by this vulnerability then please reach out to Cisco for assistance.  This current issue seems to be limited to Cisco at this time and in the scan results we have not seen any other vendor show up, but it is not a conclusive test.  So if you get our reports and the reported system is not Cisco, please let us know.  As always we will continue to monitor the results and will even make the stats available for public views.

References