Cisco IOS XE Software

This vulnerability affects Cisco IOS XE Software running on the following products. No other models are affected.

  • Cisco ASR 1000 Series Aggregation Services Routers:
    • ASR 1001-X
    • ASR 1001-HX
    • ASR 1002-X
    • ASR 1002-HX
    • Cisco ASR 1000 Series 100-Gbps Embedded Service Processor (ASR1000-ESP100)
    • Cisco ASR 1000 Series 200-Gbps Embedded Service Processor (ASR1000-ESP200)
  • Cisco 4000 Series Integrated Services Routers:

Cisco IOS XE Software is affected by this vulnerability if the system is configured to terminate IPsec VPN connections. This includes the following:

  • LAN-to-LAN VPN
  • Remote-access VPN, excluding SSL VPN
  • Dynamic Multipoint VPN (DMVPN) 
  • FlexVPN
  • Group Encrypted Transport VPN (GET VPN)
  • IPsec virtual tunnel interfaces (VTIs)
  • Open Shortest Path First Version 3 (OSPFv3) Authentication Support with IPsec

If a device that is running Cisco IOS XE Software is configured to terminate IPsec VPN connections, either a crypto map must be configured for at least one interface or the device must be configured with IPsec VTIs.

Administrators should use the show running-config command and verify that the returned output contains a crypto map configured under at least one active interface. The following example shows a crypto map named map-group1 configured on the GigabitEthernet 0/0/0 interface:

Router# show running-config
<!-- Output Omitted -->
interface GigabitEthernet0/0/0
 crypto map map-group1

Administrators should use the show running-config command and verify that the returned output contains tunnel protection ipsec profile configured under at least one tunnel interface. The following example shows a VTI interface:

Router# show running-config
interface tunnel 0
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROF1

Note: IPsec VPN is not configured by default.

If a device that is running Cisco IOS XE Software is configured to support OSPFv3 Authentication Support with IPsec, the running configuration contains one of the following:

  • ipv6 ospf encryption
  • ipv6 ospf authentication
  • ospfv3 authentication ipsec
  • ospfv3 encryption ipsec
  • area <area-id> authentication ipsec
  • area <area-id> encryption ipsec
  • area <area-id> virtual-link <router-id> authentication ipsec spi
  • area <area-id> virtual-link <router-id> encryption ipsec spi

The following example shows a device configured for OSPFv3 Authentication Support with IPsec:

Router# show running-config
interface GigabitEthernet0/1
ospfv3 authentication ipsec spi 256 md5 01020304050607080910010203040506 

Determining the Cisco IOS XE Software Release

To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text.

The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M:

ios-xe-device# show version

Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.

For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

Cisco ASA Software and Cisco ASA 5500-X Series with Firepower Threat Defense Software

This vulnerability affects Cisco ASA Software or Cisco FTD Software running on the following products. No other models are affected.

Cisco ASA 5500-X Series Adaptive Security Appliances:

  • ASA 5506-X Series
  • ASA 5508-X Series
  • ASA 5516-X Series

Refer to the Fixed Software section of this security advisory for more information about affected releases.

Cisco ASA Software is affected by this vulnerability if the system is configured to terminate IPsec VPN connections. This includes the following:

  • LAN-to-LAN IPsec VPN
  • Remote-access VPN using the IPsec VPN client
  • Layer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connections

Cisco FTD Software is affected by this vulnerability if the system is configured to terminate IPsec VPN connections. This includes the following:

  • Site-to-site IPsec VPN
  • Remote-access VPN using the IPsec VPN client

Cisco ASA Software or Cisco FTD Software is not affected by this vulnerability if the system is configured to terminate only the following VPN connections:

  • Clientless SSL 
  • AnyConnect SSL

If an appliance running Cisco ASA Software is configured to terminate IPsec VPN connections, a crypto map must be configured for at least one interface. Administrators should use the show running-config crypto map | include interface command and verify that it returns output. The following example shows a crypto map named outside_map configured on the outside interface:

ciscoasa# show running-config crypto map | include interface
crypto map outside_map interface outside

Note: IPsec VPN is not configured by default.

To determine whether an appliance that is running Cisco FTD is configured with site-to-site VPN connections or remote-access VPN connections that use the IPsec VPN client, administrators should use the show running-config command. In the following table, the left column lists the vulnerable Cisco FTD features. The right column indicates the vulnerable configuration from the show running-config command.

Cisco FTD Feature Vulnerable Configuration
AnyConnect IKEv2 Remote Access (with client services)1,2 crypto ikev2 enable <interface_name> client-services port <port #>
webvpn
  anyconnect enable
AnyConnect IKEv2 Remote Access (without client services)1,2 crypto ikev2 enable <interface_name>
webvpn
  anyconnect enable
Site-to-site VPN connections3 crypto map <crypto_map_name> interface <interface_name>

1 Remote-access VPN features are enabled via Devices > VPN > Remote Access in the Cisco FMC or via Device > Remote Access VPN in Cisco Firepower Device Manager (FDM).
2 Remote-access VPN features are first supported as of Cisco FTD Software Release 6.2.2.
3 Site-to-site VPN features are first supported as of Cisco FTD Software Release 6.2.0.

Determining the Cisco ASA Software Release

To determine whether a vulnerable release of Cisco ASA Software is running on an appliance, administrators can use the show version command. The following example shows the results of the show version command on an appliance running Cisco ASA Software Release 9.2(1):

ciscoasa# show version | include Version
Cisco Adaptive Security Appliance Software Version 9.2(1) 
Device Manager Version 7.4(1)

Determining the Cisco FTD Software Release

Administrators can use the show version command in the CLI to determine the Cisco FTD Software release. In this example, the device is running Release 6.2.2:

> show version
---------------------[ ftd ]---------------------
Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.2 (Build 362)
UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
Rules update version : 2017-03-15-001-vrt
VDB version : 279
----------------------------------------------------

Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage devices can locate the software release in the table that appears in the login window or the upper-left corner of the Cisco ASDM window.

Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software.



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here