Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected

Cisco released an advisory revealing a critical vulnerability in Cisco's ASA software. Devices are vulnerable if they are configured to terminate IKEv1 or IKEv2 VPN sessions. (CVE-2016-1287)

[Update] Also see this writeup with LOTS of details https://blog.exodusintel.com/2016/02/10/firewall-hacking/

The vulnerability can lead to a complete compromise of the system. A single UDP packet may suffice to exploit the vulnerability, but no details about the nature of the vulnerability have been made public yet, but it is recommended to patch SOON. The exploit would likely arrive over UDP port 500 or possibly 4500.

We are seeing a LARGE INCREASE in port 500/UDP traffic (see https://isc.sans.edu/port.html?port=500 and select TCP Ratio for the left Y axis. earlier spikes affecting this port were mostly TCP)

To test if your device is vulnerable, check the running crypto maps:

ciscoasa# show running-config crypto map | include interface
 

A product is vulnerable if a crypto map is returned.

There is no workaround, but Cisco has released patched firmware for affected devices.

[1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Johannes

3036 Posts
ISC Handler
Technical details are made available by exodus intelligence at https://blog.exodusintel.com/2016/01/26/firewall-hacking/
mbx

1 Posts Posts
It appears that exodus security has published near full shellcode. https://blog.exodusintel.com/2016/01/26/firewall-hacking/
johnf

6 Posts Posts
This command returns the name of the crypto map that is bound to any interface for a vulnerable version and for versions that have been patched.
larry

1 Posts Posts
Your comment

"To test if your device is vulnerable, check the running crypto maps:

ciscoasa# show running-config crypto map | include interface


A product is vulnerable if a crypto map is returned."


Is slightly misleading. The Advisory indicates that an IKE1 or 2 termination point is potentially vulnerable. However issuing that command simply identify if you have an IKE1 or 2 crypto map.

After patching to 9.1(7) the test above will still return a crypto map because it is still an IKE1 or 2 termination point.

The advisory is indicating this vulnerability affects only ASA's using this method.
joncec

1 Posts Posts
I'm thinking this is at least a Threat Level YELLOW. There are a lot of people running old ASA code out there and a CVSS 10 UDP packet remote code execution on a firewall is about as bad as it gets.

Impact
By sending specially crafted UDP packets directly to affected devices, a remote, unauthenticated attacker may be able to execute arbitrary code and gain full control of affected systems.

Note that Cisco ASA versions 7.2, 8.2, 8.3, and 8.6 are affected but no longer supported by the vendor. Users of these versions should strongly consider migrating to a supported solution.
Anonymous

Posts
Affected Cisco ASA Software running on the following products may be affected by this vulnerability:

•Cisco ASA 5500 Series Adaptive Security Appliances
•Cisco ASA 5500-X Series Next-Generation Firewalls
•Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
•Cisco ASA 1000V Cloud Firewall
•Cisco Adaptive Security Virtual Appliance (ASAv)
•Cisco Firepower 9300 ASA Security Module
•Cisco ISA 3000 Industrial Security Appliance

I wonder if all of those Pix's are also vulnerable.
Anonymous

Posts
I keep hearing there is no workaround. However, it sounds like the vulnerability is in the IKE service, part of the firewalls' VPN functionality. If the VPN functionality is disabled/not enabled, is the firewall still vulnerable?

Wouldn't disabling VPN be a work-around?
packetdude

22 Posts Posts
Yes.
JDoe

4 Posts Posts
Yes, FWs shouldn't be vulnerable unless they do terminate IKEv1 or IKEv2 VPN connections.
Krypt0ni8

21 Posts Posts
"No, sir. We're not vulnerable because we don't have any VPNs."

"Then how do we have remote access for employees? I thought that AnyConnect thing was a VPN."
Anonymous

Posts
Per: https://www.kb.cert.org/vuls/id/327976
11 Feb 2016 - "... Note that Cisco ASA versions 7.2, 8.2, 8.3, and 8.6 are affected but no-longer-supported by the vendor. Users of these versions should strongly consider migrating to a supported solution..."

// :-(
PC.Tech

34 Posts Posts
According to the the Cisco site they may provide a free migration to a patched 9.1(7)

>>>
Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
TobySimmons

7 Posts Posts
The use of control plane ACLs? http://info.stack8.com/blog/cisco-cve-2016-1287-network-vulnerability-and-mitigation
Anonymous

Posts
I've written up a detailed approach to how to mitigate this issue using control plane ACLs until you are able to apply patches. There are a few limitations but it's a very helpful technique: http://info.stack8.com/blog/cisco-cve-2016-1287-network-vulnerability-and-mitigation
johnf

6 Posts Posts
The free upgrade to 9.1(7) may not be as easy as it seems. Our ASA 5510's had to have a memory upgrade before we could move to the 8.3 code.

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/product_bulletin_c25-586414.html

"All Cisco ASA 5505, ASA 5510, ASA 5520, and ASA 5540 appliances will ship with additional default memory to meet the memory requirements for Cisco ASA Software Version 8.3 in February 2010."

People running old code are quite probably also running old hardware.
Anonymous

Posts
Quoting johnf:I've written up a detailed approach to how to mitigate this issue using control plane ACLs until you are able to apply patches. There are a few limitations but it's a very helpful technique: http://info.stack8.com/blog/cisco-cve-2016-1287-network-vulnerability-and-mitigation


Great job, that's exactly the kind of detailed write-up I'd like to see come hand-in-hand with a new vulnerability. Not that other one we got with this vulnerability, basically spelling out how to (ab)use the vulnerability...

Once again an ISC post has become the reference point for defenders - and the comment section is filled with good advice.

Thanks, ISC!! And a big Thank You to everyone that is contributing!
dotBATman

59 Posts Posts
Cisco's support site is crashing and burning this AM. Been up and down all morning.

Versions 9.2.4 and later seemed to not have the fixed code for the 5515, 25, etc... (prior to support site issues < note I cannot verify now). 9.1.7 is fixed release for 5510's assuming you have memory - rolled it yesterday without any noted issues

I noted a new release (9.5) for the ASAv (ESX an AWS version yesterday which may contain the fix for AWS ASAv - previously on 9.4.x.

Just a side note, even if you using SSL/TLS for anyconnect (and not IKE) don't forget you site to site tunnels (using IKE).

Looking forward to checking out the ACL mitigation posted above.
Bugbear

6 Posts Posts
I would start off by disabling unused/Legacy IKE VPN connections, then patch production ASAP.
Krypt0ni8

21 Posts Posts
This blogpost at Snort is interesting, no?
http://blog.snort.org/2016/02/coverage-for-cve-2016-1287-in-snort.html

"We wanted to let our customers know that we've had coverage out for this vulnerability since December 1, 2015 in the form of a Shared Object rule, enabled by default in the balanced policy (on by default for Open Source in the Snort Subscriber Rule Set). Yesterday that rule was converted from a Shared Object rule to a plaintext rule and released in the ruleset."
Ghald

1 Posts Posts
BUG WARNING

Updated to 9.1.7 (on a ASA 5520 HA pair) and a few hours later all AnyConnect (ssl vpn) access stopped along with ASDM access (management GUI).

After working with TAC determined it was a bug

https://tools.cisco.com/bugsearch/bug/CSCux45179/

I was able to work around this by rebooting. I was fortunate that the affected ASA was an HA pair, so I able to failover to the secondary (where everything worked), reboot the primary (which got it working there) and failback to the primary.

I expect to have to have to repeat this workaround when I lose access again until Cisco has a fix.
DaveC

1 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!