Cisco StarOS for ASR 5000 Series Routers IPsec VPN Tunnel Denial of Service Vulnerability
cisco-sa-20170621-asr · Medium · Published · Updated
A vulnerability in the IPsec component of Cisco StarOS for Cisco ASR 5000 Series Routers could allow an unauthenticated, remote attacker to terminate all active IPsec VPN tunnels and prevent new tunnels from establishing, resulting in a denial of service (DoS) condition. The vulnerability is due to improper processing of Internet Key Exchange (IKE) messages. An attacker could exploit this vulnerability by sending crafted IKE messages toward an affected router. An exploit could allow the attacker to cause the ipsecmgr service to reload. A reload of the ipsecmgr service could result in all IPsec VPN tunnels being terminated and prevent new tunnels from being established until the service has restarted, resulting in a DoS condition. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-asr