Skip to content

Identifying and Mitigating Security Exposures When Using No Payload Encryption Images with Existing Cryptographic Configuration

Cisco IOS Software and Cisco IOS XE Software images come in two types: The regular universalk9 image and the No Payload Encryption (NPE) universalk9_npe image. NPE images were introduced to satisfy import requirements in some countries that require that the platform does not support strong payload cryptography. As such, NPE images lack support for certain cryptographic features, most notably IPsec VPN and Secure Unified Communications.

As result, when running an NPE image, the CLI parser no longer supports commands that are related to those features. When such commands are entered on the CLI, the parser will respond with an error message that includes the invalid command. This is the expected behavior, but under some circumstances this could lead to a leak of cryptographic configuration settings.

The following sequence of events can lead to such a leak:

The device is booted and loads a universalk9 image. The device is then configured with one or more features that require configuring secrets or key material.
The image on the device is replaced by a universalk9_npe image and rebooted without removing the secrets or key material that was previously configured.

The software will then parse the existing configuration commands that are present on the startup-config but will not recognize the configuration commands that are related to configured strong payload cryptography features and it will print the corresponding error message to the console. In certain scenarios, these error messages may include confidential information like Internet Key Exchange (IKE) pre-shared keys.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-npe-hardening-Dkel83jP

Security Impact Rating: Informational

Source:: Cisco Security Advisories