CISCO-SA-ASA-FTD-IOS-DOS-KPEPQGGK

Vulnerable Products:

This vulnerability affects the following Cisco products if they have the IKEv2 VPN feature, including G-IKEv2, enabled:

IOS Software IOS XE Software Secure Firewall ASA Software Secure FTD Software

For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory. Determine the IKEv2 Configuration on a Device That Is Running Cisco IOS Software or IOS XE Software To determine whether IKEv1 or IKEv2 is enabled on a device that is running Cisco IOS Software or IOS XE Software and, subsequently, whether IKEv2 is actively being used by the device, use the following two-step method.

Step 1. Determine Whether IKE (v1 or v2) Is Enabled

To determine whether IKE processing is enabled on a device, use the show ip socket | include 500 or show udp | include 500 EXEC command in the CLI. If UDP port 500 or 4500 is open on a device, the device is processing IKE packets.

Note: If IKEv1 or IKEv2 is enabled, UDP port 500, 4500, or both will be open because both of the protocols use these ports.

The following example shows the output of the show udp | include 500 command on a device that is processing IKE packets on UDP ports 500 and 4500, which are listening on either IPv4 or IPv6:

Router#show udp | include 500 17 --listen-- 192.168.1.10 500 0 0 2001011 0 17(v6) --listen-- --any-- 500 0 0 2020011 0 17 --listen-- 192.168.1.10 4500 0 0 2001011 0 17(v6) --listen-- --any-- 4500 0 0 2020011 0

If this command returns empty output, the device is not affected by this vulnerability. If the command returns output, proceed to Step 2.

Step 2. Determine Whether IKEv2 Is Being Used

To determine whether IKEv2 is actively being used by the device, use the show crypto map EXEC command in the device CLI. If a crypto map has an IKEv2 Profile associated with it, it uses...