CISCO-SA-XRIKE-9WYGPRGQ

Vulnerable Products:

This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IOS XR Software and have IKEv2 enabled:

Network Convergence System (NCS) 540L NCS 1004 NCS 1010 NCS 1014

For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory.

Determine the Device Configuration

To determine whether IKEv2 is configured on a device, use the show udp brief command and verify whether the device is listening on ports 4500 and 500. The following example shows CLI output on a device that is affected by this vulnerability:

Router#show udp brief

PCB VRF-ID Recv-Q Send-Q Local Address Foreign Address 0x000000000000 0x60000000 0 0 0.0.0.0:4500 0.0.0.0:0 0x000000000000 0x00000000 0 0 0.0.0.0:4500 0.0.0.0:0 0x000000000000 0x60000000 0 0 0.0.0.0:500 0.0.0.0:0 0x000000000000 0x00000000 0 0 0.0.0.0:500 0.0.0.0:0 Router#Products Confirmed Not Vulnerable:

Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

IOS Software IOS XE Software NX-OS Software Other IOS XR Software products that are not listed as vulnerableWorkarounds:

There are no workarounds that address this vulnerability.Fixed Software:

Cisco has released free software updates ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#ssu"] that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.

Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing,...