Cisco IKEv1 is still popular in VPN configuration. Most of my vpn configuration is based on IKE v1 although there are more demands for v2.  I had a post “Cisco Router IKE v2 Site to Site IPSec VPN Configuration” to quickly show what the difference is between v1 and v2, and how to do v2 configuration.  Recently some vulnerabilities scan tools raised a red flag to my IKE v1 configuration.

Symptoms 

There is IKE v1 vulnerability found and it lists severity level high.

Based on Cisco documentation,

Cisco IOS Software, IOS-XE Software, and IOS-XR Software contains a vulnerability when processing a specially crafted IP version 4 (IPv4) or IP version 6 (IPv6) packet. This vulnerability can be exploited remotely without authentication and without end-user interaction. Successful exploitation of this vulnerability could allow information disclosure, which enables an attacker to learn information about the affected device and network.
The attack vectors for exploitation are through IPv4 and IPv6 packets using the following protocols and ports:

  • IKE using UDP port 500
  • GDOI using UDP port 848
  • IKE NAT-T using UDP port 4500
  • GDOI NAT-T using UDP port 4848

This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2016-6415.

Some Commands to verify ports:

show control-plane host open-ports | i 500
show control-plane host open-ports | i 4500
show control-plane host open-ports | i 848
show control-plane host open-ports | i 4848

sh ip sockets | i 500
sh ip sockets | i 4500
sh ip sockets | i 848
sh ip sockets | i 4848

show udp | i 500
show udp | i 4500
show udp | i 848
show udp | i 4848

router#show run | include crypto map|tunnel protection ipsec|crypto gdoi
router#show ip sock
router#show ip sockets | inc 500
 17       –listen–          12.8.12.222     500   0   0  1011   0
 17(v6)   –listen–          FE80::1           500   0   0 20011   0
 17       –listen–          12.8.12.222    4500   0   0  1011   0
 17(v6)   –listen–          FE80::1          4500   0   0 20011   0

Solution:

There are more details from Cisco Security Advisory, but basically there is no workaround for it.

“Workarounds

There are no workarounds for this vulnerability.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
Administrators are advised to monitor affected systems.”

Disable IKEv1 will limit the exposure. But if the vpn (ikev1) is mandatory service , adding an access control list on the Internet facing interfaces to block udp 4500 and 500 from all except selected trusted peers. This will lock your IKEv1 session down and not allow unsolicited IKEv1 packet.


interface GigabitEthernet0/0
 description Internet
 ip address 35.11.11.11 255.255.255.248
 ip access-group tACL-Policy in
 ip accounting output-packets

ip access-list extended tACL-Policy
    permit udp host 16.16.13.14 host 35.11.11.11 eq isakmp
    permit udp host 16.16.13.14 host 35.11.11.11 eq 848
    permit udp host 16.16.13.14 host 35.11.11.11 eq non500-isakmp
    permit udp host 16.16.13.14 host 35.11.11.11 eq 4848
    deny udp any host 35.11.11.11 eq isakmp
    deny udp any host 35.11.11.11 eq 848
    deny udp any host 35.11.11.11 eq non500-isakmp
    deny udp any host 35.11.11.11 eq 4848
    permit ip any any
 
 

Verify:

We can use ike-scan to verify the configuration. here is the latest 1.9 download link

Source distribution: ike-scan-1.9.tar.gz
Windows binary: ike-scan-win32-1.9.zip

ike-scan is a command-line IPSec VPN Scanner & Testing Tool for discovering, fingerprinting and testing IPsec VPN systems. It constructs and sends IKE Phase-1 packets to the specified hosts, and displays any responses that are received.

Before apply the access-list

C:\Tools\ike-scan-win32-1.9>ike-scan.exe --sport=0 35.11.11.11
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
35.11.11.11   Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=70dd9f5de5a9509e)

Ending ike-scan 1.9: 1 hosts scanned in 0.052 seconds (19.23 hosts/sec).  0 returned handshake; 1 returned notify

C:\Tools\ike-scan-win32-1.9>

After apply the access-list

C:\Tools\ike-scan-win32-1.9>ike-scan.exe --sport=0 35.11.11.11
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.441 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify

C:\Tools\ike-scan-win32-1.9>

Reference:

By Jon

Leave a Reply