Introduction

Cisco is one of the most famous manufacturers in the networking space. So much so that most of the networking infrastructure we use today was inspired by Cisco’s standards. Because of this, many businesses are using Cisco devices to build out their internal and external networks. The large numbers of Cisco devices in use makes Cisco a great target for malicious actors. That is why it is imperative for your organization to be aware of the potential threats that could be present on your Cisco devices.

In this article, we are going to explore the vulnerability known as “IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products (CVE-2016-6415)” (source: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1). We will identify what IKE is, what Cisco devices/versions are affected, why your organization should be aware of this vulnerability, and how you can remediate this issue on your Cisco devices.

What is IKE?

To start, let’s get back to the basics. What is IKE? IKE is an acronym for the networking protocol known as Internet Key Exchange. This protocol is typically used to create a secure connection in the context of a Virtual Private Network (VPN). IKE establishes the connection and helps the devices communicate over a secure channel.

IKE’s duties don’t end there though, IKE is also in charge of authenticating the devices (making sure the devices are who they say they are), creating a set of rules for communication within the VPN connection, and safeguarding all communication while your device is connected to the VPN. In short, IKE is essential to keeping your data safe while your device has an established connection to a VPN.

Does CVE-2016-6415 Affect Your Devices?

Now that you have been briefed on what IKE is, we can explore what versions of IKE and what versions of Cisco are affected by “IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products (CVE-2016-6415).” To start, it is important to note that CVE-2016-6415 only affects IKEv1. IKEv1 was designed in the late 1990s, so it is unlikely that most IKE protocols are vulnerable to this attack, however, it is known that some legacy systems enable this version of IKE by default.

Additionally, there are a handful of Cisco devices/versions that are vulnerable to CVE-2016-6415. According to Cisco the affected versions of Cisco IOS XR are the following: “Cisco IOS XR 4.3.x, Cisco IOS XR 5.0.x, Cisco IOS XR 5.1.x, Cisco IOS XR 5.2.x”. To determine if your Cisco IOS or Cisco IOS XE software is affected, Cisco provided this software checker resource (resource: https://sec.cloudapps.cisco.com/security/center/softwarechecker.x). Simply input your software type and current release version and the tool will provide you with a list of vulnerabilities that are associated with the information that you provided.

Why Should Your Organization Be Aware of CVE-2016-6415?

At this point, you know if your IKE version and Cisco version is vulnerable to CVE-2016-6415. Now it is important to make you and your organization aware of the dangers of this vulnerability. To start, NIST and Cisco have rated CVE-2016-6415 as a High Severity vulnerability. These organizations have rated it this way because an attacker can use a tool from the widely used Metasploit Framework (msf) to send a raw data packet to a vulnerable Cisco device which, in turn, creates an information leak.

Once the information leak is identified, an attacker can brute force requests with the aforementioned raw data packet to enumerate large amounts of data from the Cisco device. This could lead to divulged IP addresses, internal network information, and/or confidential information that has passed through memory stores. As you can imagine, this information leak can create a larger-scale breach of confidential information withheld in your organization. This ultimately will lead to loss of member trust because the confidentiality and integrity of your organization’s external/internal network infrastructure will be corrupted.

How Can You Remediate This Issue?

Finally, we can move toward remediation of this high severity vulnerability. The first step of remediation has been completed in our “Does CVE-2016-6415 Affect Your Devices?” section. We have identified the version of IKE and Cisco that we are currently running on and we can now move toward enabling IKEv2 and updating Cisco to the most current version available. For Cisco IOS XR the most recent unaffected version is 7.11.1 released on December 8, 2023. For Cisco IOS and Cisco IOS XE Software please use the “Cisco IOS Software Checker” (resource: https://sec.cloudapps.cisco.com/security/center/softwarechecker.x) to determine your unaffected version.

Conclusion

“IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products (CVE-2016-6415)” is a high severity vulnerability that can lead to exposed IP addresses, internal network information, and/or confidential member/client information. Although it is unlikely that most of your Cisco devices are vulnerable to this issue, it is worth checking in on some of the legacy devices that are running on your network. Otherwise, the reputation of your organization could be tarnished and the trust your organization has worked hard to build could vanish.

Justin Brose, Information Security Analyst

Justin started at TraceSecurity as a part of the Associate Information Security Analyst Team where he focused on external penetration tests and vulnerability assessments, as well as remote social engineering. Since being promoted to a full-time ISA, he has taken on more intense penetration testing projects for both internal and external networks. Justin graduated from Louisiana State University with a Bachelor of Science in Information Systems and Decision Science and has earned certifications in eJPT, CompTIA Security+, AWS Cloud Practitioner, and SAFe Scrum Master.