CVE-2017-12237

Name of the Vulnerable Software and Affected Versions Cisco IOS versions 15.0 through 15.6 Cisco IOS XE versions 3.5 through 16.5

Description A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module could allow an unauthenticated, remote attacker to cause high CPU utilization, traceback messages, or a reload of an affected device that leads to a denial of service (DoS) condition. The vulnerability is due to how an affected device processes certain IKEv2 packets. An attacker could exploit this vulnerability by sending specific IKEv2 packets to an affected device to be processed. This vulnerability affects Cisco devices that have the Internet Security Association and Key Management Protocol (ISAKMP) enabled. Many features use IKEv2, including different types of VPNs such as LAN-to-LAN VPN, Remote-access VPN, Dynamic Multipoint VPN (DMVPN), and FlexVPN.

Recommendations For Cisco IOS versions 15.0 through 15.6, update to a fixed version of the software. For Cisco IOS XE versions 3.5 through 16.5, update to a fixed version of the software. As a temporary workaround, consider disabling the ISAKMP protocol until a patch is available. Restrict access to the IKEv2 module to minimize the risk of exploitation. Avoid using IKEv2-specific features until the issue is resolved.