Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected

Published: 2016-02-10
Last Updated: 2016-02-12 03:40:34 UTC
by Johannes Ullrich (Version: 1)
25 comment(s)

Cisco released an advisory revealing a critical vulnerability in Cisco's ASA software. Devices are vulnerable if they are configured to terminate IKEv1 or IKEv2 VPN sessions. (CVE-2016-1287)

[Update] Also see this writeup with LOTS of details https://blog.exodusintel.com/2016/02/10/firewall-hacking/

The vulnerability can lead to a complete compromise of the system. A single UDP packet may suffice to exploit the vulnerability, but no details about the nature of the vulnerability have been made public yet, but it is recommended to patch SOON. The exploit would likely arrive over UDP port 500 or possibly 4500.

We are seeing a LARGE INCREASE in port 500/UDP traffic (see https://isc.sans.edu/port.html?port=500 and select TCP Ratio for the left Y axis. earlier spikes affecting this port were mostly TCP)

To test if your device is vulnerable, check the running crypto maps:

ciscoasa# show running-config crypto map | include interface
 

A product is vulnerable if a crypto map is returned.

There is no workaround, but Cisco has released patched firmware for affected devices.

[1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
25 comment(s)
Diary Archives