CISCO-SA-MULTIPROD-IKEV2-DOS-GPCTUQV2

Vulnerable Products:

This vulnerability affects Cisco products if they are running a vulnerable release of Cisco ASA, FTD, IOS, or IOS XE Software and have the IKEv2 protocol enabled.

Note: G-IKEv2 is not affected by this vulnerability.

For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory. Determine the Cisco ASA or FTD Software IKEv2 Configuration To determine whether IKEv2 is enabled on an interface, use the show running-config crypto ikev2 | include enable CLI command. If that command returns output, IKEv2 is enabled on at least one interface. The following example shows the output of the show running-config crypto ikev2 | include enable command on a device that has IKEv2 enabled on the outside interface:

device# show running-config crypto ikev2 | include enable crypto ikev2 enable outside

If the command returns no output, the device is not affected by this vulnerability.

Note: For devices that are running Cisco FTD Software, the command prompt will end with > and not #. Determine the Cisco IOS or IOS XE Software IKEv2 Configuration

1. Determine Whether the Device Is Configured with IKE (v1 or v2)

To determine whether IKE processing is enabled, use the show ip sockets or show udp EXEC command in the CLI. These commands will show the same output for both IKEv1 and IKEv2 because both use the same port numbers. If UDP port 500, UDP port 848, UDP port 4500, or UDP port 4848 is open on a device, the device is processing IKE packets.

The following example shows the output of the show udp command on a device that is processing IKE packets on UDP port 500 and UDP port 4500, using either IPv4 or IPv6:

router# show udp Proto Remote Port Local Port In Out Stat TTY OutputIF 17 --listen-- 192.168.130.21 500 0 0 1001011 0 17(v6) --listen-- UNKNOWN 500 0 0 1020011 0 17 --listen--...