Scans for Ciscos IKEv1 and IKEv2 Buffer Overflow Vulnerability (CVE-2016-1287)

Ciscos UDP-RCE

A short dissection on who's scanning for CVE-2016-1287, the latest IKEv1 and IKEv2 Buffer Overflow Vulnerability. vulgo: CISCO-UDP-RCE-Vuln

Since Scanning is expected (and startet short after the Advisory became public) we wanted to know (and publish) who's scanning and the results seems to be quite interesting.

The Scans we detected follow a similar pattern like those observed by ISC

scans by 8ack

UDP Port 500 Scans by 8ack

scans by isc

UDP Port 500 Scans by ISC

The most scans originated from Research-Facilities or scanners like Shodan (Top 5), following by low-rate-scanning from various sources (Germany, Ukraine, China), probably from compromised servers.

There is no "super-heavy internet-wide scanning" so far, just what should be expected; there is no need for scanning yourself when there is shodan with more than 1 Mio Cisco-Devices that are not HomeRouters

shodan cisco

Shodan Search result for "cisco"

Scanners and its origin   <- University of Pensylvania
   <- independent "Researcher" 
     <- Shodan 
    <- Shodan
   <- Shodan
    <- Shodan 
  <- real scanner  <- real scanner   <- real scanner  <- real scanner