Internet Storm Center

Handler on Duty: Xavier Mertens

Threat Level: green

Thinking...

[get complete service list]

Port Information
Protocol	Service	Name
tcp	isakmp	VPN Key Exchange
udp	isakmp	VPN Key Exchange

Top IPs Scanning
Today	Yesterday
146.88.241.34 (40)	18.217.208.51 (332)
146.88.241.74 (14)	73.109.25.119 (158)
103.203.57.27 (14)	164.52.24.182 (143)
146.88.241.104 (12)	45.142.154.99 (81)
64.62.197.117 (11)	85.217.149.69 (56)
64.62.197.108 (11)	103.203.57.27 (50)
65.49.1.172 (9)	103.203.57.10 (47)
64.62.197.120 (9)	103.7.81.84 (42)
64.62.197.112 (8)	103.203.57.24 (41)
65.49.1.236 (8)	139.162.99.58 (39)

Port diary mentions
URL
Critical Cisco ASA IKEv1v2 Vulnerability. Active Scanning Detected

User Comments
Submitted By	Date
Comment
PC.Tech	2016-02-13 01:42:50
Per: - https://www.kb.cert.org/vuls/id/327976 11 Feb 2016 - "... Note that Cisco ASA versions 7.2, 8.2, 8.3, and 8.6 are affected but no-longer-supported by the vendor. Users of these versions should strongly consider migrating to a supported solution..." //
	2016-02-11 01:32:24
CVE-2016-1287 - Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability For details see https://blog.exodusintel.com/2016/01/26/firewall-hacking/ or https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
Javier Fernandez-Sanguino	2003-05-11 03:20:54
This port might be used by vulnerability CAN-2003-0108 (affects tcpdump) and CAN-2002-1103 (affects the Cisco VPN concentrator) There seems to be increasing scanning in this port (as described in http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00374.html) which might be related to the release of a new tool (ike-scan, see http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00354.html)

CVE Links
CVE #	Description
CVE-2016-1287	Buffer overflow in the IKEv1 and IKEv2 implementations in Cisco ASA Software before 8.4(7.30), 8.7 before 8.7(1.18), 9.0 before 9.0(4.38), 9.1 before 9.1(7), 9.2 before 9.2(4.5), 9.3 before 9.3(3.7), 9.4 before 9.4(2.4), and 9.5 before 9.5(2.2) on ASA 5500 devices, ASA 5500-X devices, ASA Services Module for Cisco Catalyst 6500 and Cisco 7600 devices, ASA 1000V devices, Adaptive Security Virtual Appliance (aka ASAv), Firepower 9300 ASA Security Module, and ISA 3000 devices allows remote attackers to execute arbitrary code or cause a denial of service (device reload) via crafted UDP packets, aka Bug IDs CSCux29978 and CSCux42019.
CVE-2017-5205	The ISAKMP parser in tcpdump before 4.9.0 has a buffer overflow in print-isakmp.c:ikev2_e_print().