Cisco PSIRT reporting Customers affected by ASA VPN DoS attacks

Published: 2015-07-09
Last Updated: 2015-07-09 14:00:50 UTC
by Mark Baggett (Version: 1)
5 comment(s)

Patch your firewalls!

2015-July-08 UPDATE: Cisco PSIRT is aware of disruption to some Cisco customers with Cisco ASA devices affected by CVE-2014-3383, the Cisco ASA VPN Denial of Service Vulnerability that was disclosed in this Security Advisory. Traffic causing the disruption was isolated to a specific source IPv4 address. Cisco has engaged the provider and owner of that device and determined that the traffic was sent with no malicious intent. Cisco strongly recommends that customers upgrade to a fixed Cisco ASA software release to remediate this issue. 

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.

This advisory is available at the following link:

Follow me on twitter @MarkBaggett

Join me for Python SEC573 in Las Vegas this September 14th!  Click here for more information.

5 comment(s)


Thanks Mark. But still confusing or not clear about the below three points.

1. Cisco comment - "Owner/provider sent traffic with no malicious intent" - Then what actually happened.
2. What is the attack vector - So that we can check for corresponding events(logs) from firewalls.
3. Is that a worldwide attack - According to my information, Asia,America and Europe located devices also got infected.

All good questions. I suspect that Cisco saying "Owner/provider sent traffic with no malicious intent" means... "Someone accidentally crashed the ASA stumbling on to this DoS. it wasn't malicious... and don't even THINK it is related to the Stock Exchange or United going down. Dont even think it... did you think it? Dont do it!" Ok Ok.. I am putting a lot of words and sentiment in their comment that they certainly didn't make BUT I imagine they want people to know they didn't learn about this DoS as a result of yesterdays outages.

I don't have have much more information at the moment that will help me answer your other questions but we are keeping an eye on situation.
Thanks for contacting the ISC!
Mark Baggett

My first thought is that "non-malicious intent" would suggest either research, or testing of software under development.
I personally would not like to accept their determination of non-malicious, if they are not releasing
the major facts, however.

Most likely research, if traffic is coming from a single IP through multiple organizations' ASAs. But
depending on the technical details of the DoS bug, impactful traffic might just occasionally show up
in normal traffic, so DoS might be triggered by coincidence.

Research could take the form of running scanning tools that send some probe packets to random IP addresses,
but could accidentally trigger bugs. Probes do not necessarily look like normal traffic, and might trigger different
bugs. The research traffic might also be unwanted by various networks, so it's kind of like E-mail spam.

That kind of research might be forseeably "risky" for the receiving network, and that is always a risk with any
unauthorized scan/probe, But might be unavoidable without canceling their intended research
that is not specifically designed to cause any DoS.
Thanks Mark for the nice explanation. Whatever their intention was, what about the downtime for these many organizations worldwide. It really did malicious stuff :)

[CVE-2014-3383] - A remote user can send specially crafted UDP packets to the target device via IPv4 or IPv6 to trigger a flaw in the IKE implementation and cause the target device to reload.

From the above sentence what I understand is, they need to send specially crafted UDP packets to target device by exploiting flaw in IKE (VPN) –> I don’t think this will happen in accident, if its normal or crafted UDP packet, yes it’s possible. But UDP packet tweaked to exploit IKE needs further specification. And it targeted to worldwide ASA devices, seems bit unreliable.

Some additional information regarding the incidents.

According to Cisco sources, it seems message ID: 713903, Can't find a valid tunnel group, aborting and Header invalid, missing SA payload! would be the related events.

But still confusing whether these two packets or particular sessions with 20-30 events in a time interval of 1, 2 hour will do the attack. Or it’s crafted in such a way that a single session is enough to do the job. Because I didn’t see a flood of packets in devices for these exploit.


Diary Archives