Cisco released an advisory revealing a critical vulnerability in Cisco's ASA software. Devices are vulnerable if they are configured to terminate IKEv1 or IKEv2 VPN sessions. (CVE-2016-1287) [Update] Also see this writeup with LOTS of details https://blog.exodusintel.com/2016/02/10/firewall-hacking/ The vulnerability can lead to a complete compromise of the system. A single UDP packet may suffice to exploit the vulnerability, but no details about the nature of the vulnerability have been made public yet, but it is recommended to patch SOON. The exploit would likely arrive over UDP port 500 or possibly 4500. We are seeing a LARGE INCREASE in port 500/UDP traffic (see https://isc.sans.edu/port.html?port=500 and select TCP Ratio for the left Y axis. earlier spikes affecting this port were mostly TCP) To test if your device is vulnerable, check the running crypto maps: ciscoasa# show running-config crypto map | include interface A product is vulnerable if a crypto map is returned. There is no workaround, but Cisco has released patched firmware for affected devices. [1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike --- |
Johannes 4076 Posts ISC Handler Feb 12th 2016 |
Thread locked Subscribe |
Feb 12th 2016 5 years ago |
Technical details are made available by exodus intelligence at https://blog.exodusintel.com/2016/01/26/firewall-hacking/
|
mbx 1 Posts |
Quote |
Feb 10th 2016 5 years ago |
It appears that exodus security has published near full shellcode. https://blog.exodusintel.com/2016/01/26/firewall-hacking/
|
johnf 6 Posts |
Quote |
Feb 10th 2016 5 years ago |
This command returns the name of the crypto map that is bound to any interface for a vulnerable version and for versions that have been patched.
|
larry 1 Posts |
Quote |
Feb 11th 2016 5 years ago |
Your comment
"To test if your device is vulnerable, check the running crypto maps: ciscoasa# show running-config crypto map | include interface A product is vulnerable if a crypto map is returned." Is slightly misleading. The Advisory indicates that an IKE1 or 2 termination point is potentially vulnerable. However issuing that command simply identify if you have an IKE1 or 2 crypto map. After patching to 9.1(7) the test above will still return a crypto map because it is still an IKE1 or 2 termination point. The advisory is indicating this vulnerability affects only ASA's using this method. |
joncec 1 Posts |
Quote |
Feb 11th 2016 5 years ago |
I'm thinking this is at least a Threat Level YELLOW. There are a lot of people running old ASA code out there and a CVSS 10 UDP packet remote code execution on a firewall is about as bad as it gets.
Impact By sending specially crafted UDP packets directly to affected devices, a remote, unauthenticated attacker may be able to execute arbitrary code and gain full control of affected systems. Note that Cisco ASA versions 7.2, 8.2, 8.3, and 8.6 are affected but no longer supported by the vendor. Users of these versions should strongly consider migrating to a supported solution. |
Anonymous |
Quote |
Feb 11th 2016 5 years ago |
Affected Cisco ASA Software running on the following products may be affected by this vulnerability:
•Cisco ASA 5500 Series Adaptive Security Appliances •Cisco ASA 5500-X Series Next-Generation Firewalls •Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers •Cisco ASA 1000V Cloud Firewall •Cisco Adaptive Security Virtual Appliance (ASAv) •Cisco Firepower 9300 ASA Security Module •Cisco ISA 3000 Industrial Security Appliance I wonder if all of those Pix's are also vulnerable. |
Anonymous |
Quote |
Feb 11th 2016 5 years ago |
I keep hearing there is no workaround. However, it sounds like the vulnerability is in the IKE service, part of the firewalls' VPN functionality. If the VPN functionality is disabled/not enabled, is the firewall still vulnerable?
Wouldn't disabling VPN be a work-around? |
packetdude 22 Posts |
Quote |
Feb 11th 2016 5 years ago |
Yes.
|
JDoe 5 Posts |
Quote |
Feb 11th 2016 5 years ago |
Yes, FWs shouldn't be vulnerable unless they do terminate IKEv1 or IKEv2 VPN connections.
|
Krypt0ni8 21 Posts |
Quote |
Feb 11th 2016 5 years ago |
"No, sir. We're not vulnerable because we don't have any VPNs."
"Then how do we have remote access for employees? I thought that AnyConnect thing was a VPN." |
Anonymous |
Quote |
Feb 11th 2016 5 years ago |
Per: https://www.kb.cert.org/vuls/id/327976
11 Feb 2016 - "... Note that Cisco ASA versions 7.2, 8.2, 8.3, and 8.6 are affected but no-longer-supported by the vendor. Users of these versions should strongly consider migrating to a supported solution..." // ![]() |
PC.Tech 34 Posts |
Quote |
Feb 11th 2016 5 years ago |
According to the the Cisco site they may provide a free migration to a patched 9.1(7)
>>> Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. |
TobySimmons 7 Posts |
Quote |
Feb 11th 2016 5 years ago |
The use of control plane ACLs? http://info.stack8.com/blog/cisco-cve-2016-1287-network-vulnerability-and-mitigation
|
TobySimmons 1 Posts |
Quote |
Feb 11th 2016 5 years ago |
I've written up a detailed approach to how to mitigate this issue using control plane ACLs until you are able to apply patches. There are a few limitations but it's a very helpful technique: http://info.stack8.com/blog/cisco-cve-2016-1287-network-vulnerability-and-mitigation
|
johnf 6 Posts |
Quote |
Feb 12th 2016 5 years ago |
The free upgrade to 9.1(7) may not be as easy as it seems. Our ASA 5510's had to have a memory upgrade before we could move to the 8.3 code.
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/product_bulletin_c25-586414.html "All Cisco ASA 5505, ASA 5510, ASA 5520, and ASA 5540 appliances will ship with additional default memory to meet the memory requirements for Cisco ASA Software Version 8.3 in February 2010." People running old code are quite probably also running old hardware. |
Anonymous |
Quote |
Feb 12th 2016 5 years ago |
Quoting johnf:I've written up a detailed approach to how to mitigate this issue using control plane ACLs until you are able to apply patches. There are a few limitations but it's a very helpful technique: http://info.stack8.com/blog/cisco-cve-2016-1287-network-vulnerability-and-mitigation Great job, that's exactly the kind of detailed write-up I'd like to see come hand-in-hand with a new vulnerability. Not that other one we got with this vulnerability, basically spelling out how to (ab)use the vulnerability... Once again an ISC post has become the reference point for defenders - and the comment section is filled with good advice. Thanks, ISC!! And a big Thank You to everyone that is contributing! |
dotBATman 64 Posts |
Quote |
Feb 12th 2016 5 years ago |
Cisco's support site is crashing and burning this AM. Been up and down all morning.
Versions 9.2.4 and later seemed to not have the fixed code for the 5515, 25, etc... (prior to support site issues < note I cannot verify now). 9.1.7 is fixed release for 5510's assuming you have memory - rolled it yesterday without any noted issues I noted a new release (9.5) for the ASAv (ESX an AWS version yesterday which may contain the fix for AWS ASAv - previously on 9.4.x. Just a side note, even if you using SSL/TLS for anyconnect (and not IKE) don't forget you site to site tunnels (using IKE). Looking forward to checking out the ACL mitigation posted above. |
Bugbear 7 Posts |
Quote |
Feb 12th 2016 5 years ago |
I would start off by disabling unused/Legacy IKE VPN connections, then patch production ASAP.
|
Krypt0ni8 21 Posts |
Quote |
Feb 12th 2016 5 years ago |
This blogpost at Snort is interesting, no?
http://blog.snort.org/2016/02/coverage-for-cve-2016-1287-in-snort.html "We wanted to let our customers know that we've had coverage out for this vulnerability since December 1, 2015 in the form of a Shared Object rule, enabled by default in the balanced policy (on by default for Open Source in the Snort Subscriber Rule Set). Yesterday that rule was converted from a Shared Object rule to a plaintext rule and released in the ruleset." |
Ghald 1 Posts |
Quote |
Feb 12th 2016 5 years ago |
BUG WARNING
Updated to 9.1.7 (on a ASA 5520 HA pair) and a few hours later all AnyConnect (ssl vpn) access stopped along with ASDM access (management GUI). After working with TAC determined it was a bug https://tools.cisco.com/bugsearch/bug/CSCux45179/ I was able to work around this by rebooting. I was fortunate that the affected ASA was an HA pair, so I able to failover to the secondary (where everything worked), reboot the primary (which got it working there) and failback to the primary. I expect to have to have to repeat this workaround when I lose access again until Cisco has a fix. |
DaveC 1 Posts |
Quote |
Feb 12th 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!