CVE-2009-2868

Name of the Vulnerable Software and Affected Versions Cisco IOS versions 12.2 through 12.4

Description The issue allows remote attackers to cause a denial of service (Phase 1 SA exhaustion) via crafted requests when certificate-based authentication is enabled for IKE. This can lead to the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions.

Recommendations For Cisco IOS versions 12.2 through 12.4, update to a version that includes the software updates released by Cisco to address this issue. As a temporary workaround, consider restricting the use of certificate-based authentication for IKE to minimize the risk of exploitation.