Internet Key Exchange Protocol Version 1 Denial of Service Vulnerability

Multiple products contain a vulnerability in the implementation of the Internet Key Exchange (IKE) version 1 protocol. IKE is typically used for key exchange in IPSec, and IPSec is commonly used to encrypt data for VPN connections.

The vulnerability affects IKE Phase 1 negotiations in both Main Mode and Aggressive Mode. It affects normal UDP-based IKE as well as Cisco-proprietary TCP-encapsulated IKE. The vulnerability exists due to improper handling of overly large amounts of IKE requests sent to a system. An affected device can only queue so many initial requests for IKE sessions before they fill the request queue. An attacker could exploit this vulnerability to exhaust the IKE resources by initiating numerous
IKE sessions faster than the device expires them from its queue. This action results in a denial of service (DoS) condition because the device cannot process IKE requests until the attacker ceases sending the packets.

This vulnerability has been confirmed, but updates are not available.

Since the error occurs prior to authentication, an attacker does not need valid credentials to exploit this vulnerability. Because the IKE packets used to exploit the vulnerability are valid, and the rate of packets necessary to perform the exploit is relatively low, IDS and IPS systems may not detect an attack. The attack does not require high bandwidth; this could allow an attacker to target multiple devices. However, by using increased bandwidth, it becomes easier for an IDS or IPS to detect the attack. Attackers may use source IP address spoofing over UDP to disguise the source of attacks and make it more difficult to block an attack while underway.

Because this vulnerability largely affects VPN appliances open to the Internet, anyone with
access to the IP address of a vulnerable system can stage the attack. An attacker could employ OS fingerprinting in conjunction with port scanning to discover vulnerable systems.

This vulnerability will likely affect a large range of products. Cisco IOS software, VPN 3000 Series concentrators, and PIX and ASA security appliances are vulnerable.