CVE-2013-5473

Name of the Vulnerable Software and Affected Versions Cisco IOS versions 12.2, 15.1, and 15.2 Cisco IOS XE versions 3.4.2S through 3.4.5S Cisco IOS XE versions 3.6.xS before 3.6.1S

Description A memory leak in the Internet Key Exchange (IKE) protocol could allow an unauthenticated, remote attacker to cause a memory leak that could lead to a device reload. The vulnerability is due to incorrect handling of malformed IKE packets by the affected software. An attacker could exploit this vulnerability by sending crafted IKE packets to a device configured with features that leverage IKE version 1 (IKEv1). Although IKEv1 is automatically enabled on a Cisco IOS Software and Cisco IOS XE Software when IKEv1 or IKE version 2 (IKEv2) is configured, the vulnerability can be triggered only by sending a malformed IKEv1 packet.

Recommendations For Cisco IOS versions 12.2, 15.1, and 15.2, update to a fixed version to address the vulnerability. For Cisco IOS XE versions 3.4.2S through 3.4.5S, update to a fixed version to address the vulnerability. For Cisco IOS XE versions 3.6.xS before 3.6.1S, update to version 3.6.1S or later to address the vulnerability. As a temporary workaround, consider disabling IKEv1 until a patch is available. Restrict access to devices configured with features that leverage IKE version 1 (IKEv1) to minimize the risk of exploitation.