ALERT: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

Posted by Susan Sison on Feb 16, 2016 11:20:04 AM

Cisco is one of the largest and most respected brands in the world of enterprise connectivity. Its data center platform alone has attracted 75% of the Fortune 500. Naturally, when its hardware has a vulnerability, the implications can be serious.

CIsco vulnerability

The Cisco ASA IKEv1 & IKEv2 Buffer Overflow Vulnerability is Critical

On February 12, Cisco announced a major vulnerability in the firmware for its ASA (Adaptive Security Appliance). Enterprises using a Cisco ASA should get informed and take action now.

The vulnerability affects the implementation of the IKE (Internet Key Exchange) protocol, version 1 (v1) and version 2 (v2). IKE is crucial to security for remote host or network access and virtual private networks (VPN).

Using the ASA vulnerability, an attacker could:

  • Reload the impacted system
  • Remotely execute any code
  • Take control of the system

Using crafted UDP (User Datagram Protocol) packets, the attacker gains entry into the system by overwhelming the buffer of the vulnerable code. Only traffic that’s directed to the affected system can effectively exploit the issue.

Is My System Affected by the ASA Vulnerability?

Systems known to be affected include those configured in routed firewall mode only – including single or multiple context mode. Both IPv4 and IPv6 traffic may be used to exploit the vulnerability.

Affected Cisco products include:

  • Cisco ASA 5500 Series
  • Cisco Firepower 9300 ASA Security Module
  • Cisco ASA Services Module – paired with Catalyst 6500 Switches
  • Cisco ASA Services Module – paired with 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco ASA 5500-X Firewalls
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco ISA 3000 Industrial Security Appliances

A device’s ASA vulnerability status can be checked with the following CLI command:

ciscoasa# show running-config crypto map | include interface

If the command returns a crypto map, the device may be vulnerable and should be patched immediately.

Cisco has already issued free software updates to resolve the issue. Cisco customers can only install or access support for their licensed software versions. Customers without Cisco service contracts, such as those who make purchases through third-party vendors, should contact the Cisco Technical Assistance Center directly.

There are no workarounds for this issue. Current Cisco customers should download and apply the relevant software patches through their affected device's update interface right away.

Network Computing Architects, Inc. is a premier provider of high quality sustainable and secure networking, information security solutions and unified communications. We partner with our clients to provide answers to business initiatives where leading technologies converge.

NCA achieved ISO 27001:2005 certification in December 2007 and is currently ISO 27001:2013 certified. The scope of NCA's ISMS is client confidential information within NCA Professional Services Practice.