Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Internet Key Exchange Protocol Version 1 Denial of Service Vulnerability

Cisco-SA-20060726-CVE-2006-3906 · Medium · Published · Updated

Multiple products contain a vulnerability in the implementation of the Internet Key Exchange (IKE) version 1 protocol.  IKE is typically used for key exchange in IPSec, and IPSec is commonly used to encrypt data for VPN connections. The vulnerability affects IKE Phase 1 negotiations in both Main Mode and Aggressive Mode.  It affects normal UDP-based IKE as well as Cisco-proprietary TCP-encapsulated IKE.  The vulnerability exists due to improper handling of overly large amounts of IKE requests sent to a system.  An affected device can only queue so many initial requests for IKE sessions before they fill the request queue.  An attacker could exploit this vulnerability to exhaust the IKE resources by initiating numerous IKE sessions faster than the device expires them from its queue.  This action results in a denial of service (DoS) condition because the device cannot process IKE requests until the attacker ceases sending the packets. This vulnerability has been confirmed, but updates are not available. Since the error occurs prior to authentication, an attacker does not need valid credentials to exploit this vulnerability.  Because the IKE packets used to exploit the vulnerability are valid, and the rate of packets necessary to perform the exploit is relatively low, IDS and IPS systems may not detect an attack.  The attack does not require high bandwidth; this could allow an attacker to target multiple devices.  However, by using increased bandwidth, it becomes easier for an IDS or IPS to detect the attack.  Attackers may use source IP address spoofing over UDP to disguise the source of attacks and make it more difficult to block an attack while underway.  Because this vulnerability largely affects VPN appliances open to the Internet, anyone with access to the IP address of a vulnerable system can stage the attack.  An attacker could employ OS fingerprinting in conjunction with port scanning to discover vulnerable systems. This vulnerability will likely affect a large range of products.  Cisco IOS software, VPN 3000 Series concentrators, and PIX and ASA security appliances are vulnerable.

Cisco advisory · CSAF JSON

Workarounds

Administrators are advised to contact their vendors regarding future updates or releases.

Administrators are advised to review their networks for potentially vulnerable appliances or systems.

Administrators are advised to contact their vendors regarding workarounds specific to their situations.

Administrators are advised to use ACLs to restrict IKE traffic to affected devices.

Administrators may wish to configure affected devices to use IKE protocol version 2 rather than version 1.

Administrators are advised to configure IPS or IDS systems to watch for a large number of IKE packets that might indicate that an attack is underway.

Cisco IOS customers can mitigate this vulnerability by implementing the Call Admission Control for
IKE feature.

Documentation from Cisco detailing mitigation strategies for individual products is available at the following link: Cisco["http://www.cisco.com/en/US/tech/tk583/tk372/tsd_technology_security_response09186a00806f33d4.html"]

CVEsCVE-2006-3906
Cisco Bug IDsNA
CVSS ScoreBase 2.3
Product Names From Source
Cisco PIX Firewall Software, Cisco VPN Concentrator, Cisco Firewall Services Module (FWSM), Cisco MDS SAN-OS Software, Cisco PIX/ASA

Related Products

Product CVE Evidence
Cisco VPN Concentrator CVE-2006-3906 Cisco OpenVuln
Cisco PIX/ASA CVE-2006-3906 Cisco OpenVuln
Cisco PIX Firewall Software CVE-2006-3906 Cisco OpenVuln
Cisco PIX Firewall CVE-2006-3906 Cisco OpenVuln
Cisco MDS SAN-OS Software CVE-2006-3906 Cisco OpenVuln
Cisco IOS CVE-2006-3906 Cisco OpenVuln
Cisco Firewall Services Module (FWSM) CVE-2006-3906 Cisco OpenVuln