What is it?
Internet Key Exchange (IKE) is security protocol used by various Cisco brand devices, all Microsoft servers and some Linux/UNIX servers. IKE has two versions.
Devices use IKE to send each other keys that positively identify each party before they begin data transfer.
Internet Protocol Security (IPSec) uses IKE; IPSec is used to manage Virtual Private Network (VPN) services.
Vulnerabilities in IKE can facilitate a Man-In-The-Middle (MITM) attack, where an attacker intercepts communication between system A and system B, eavesdrops on (think banking information) or actively changes (think virus infection) the data before sending it on. MITM attackers can disguise themselves so that both parties are unaware they are being attacked.
Password Cracking is when an attacker uses a dictionary of likely passwords to figure out a system password, often by brute force.
Why is it a risk?
A bug in the code allows attackers to craft an IKEv1 request that will expose the contents of the server’s memory which might include confidential information.
If your server allows IKEv1 communication, then the attacker can force the communication to use that protocol and then take advantage of the bug.
If an attacker cracks your IPSec password they can set up a MITM attck on your VPN, eavesdropping on, and possibly changing, any traffic.
How can you mitigate the risk?
First, use the Cisco Software Checker (link below) to confirm that the installed version of your router software is affected; you will need to know your software version.
There are no workarounds for this vulnerability. Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
Cisco customers with current service contracts may obtain updates that resolve this problem through their Cisco (re)seller. The vulnerability document linked below explains the procedure, including a procedure for customers without a service contract.
Use especially strong password for IPSec. Change them regularly.
Disable IKEv1.
Resources:
Cisco Software Checker
http://tools.cisco.com/security/center/selectIOSVersion.x
Cisco IKEv1 Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
