ALERT: Update Cisco ASA software to address vulnerability
This message is intended for U-M IT staff who are responsible for Cisco ASA devices, which are used to provide firewall and VPN services. It was sent via email to the IT Security Community, Frontline Notify, and UMnet Admin groups on February 11, 2016.
A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco Adaptive Security Appliance (ASA) software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. Exploit details have been shared publicly. Cisco has released software updates that address this vulnerability, and those updates should be applied as soon as possible. Cisco ASA software is used to provide firewall and Virtual Private Network (VPN) services.
Affected Cisco ASA Software running on the following products may be affected by this vulnerability:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 9300 ASA Security Module
- Cisco ISA 3000 Industrial Security Appliance
Cisco ASA Software is affected by this vulnerability if the system is configured to terminate IKEv1 or IKEv2 VPN connections. This includes the following:
LAN-to-LAN IPsec VPN
Remote access VPN using the IPsec VPN client
Layer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connections
Cisco ASA Software is not affected by this vulnerability if the system is configured to terminate only the following VPN connections:
- Clientless SSL
- AnyConnect SSL
Install the software updates available from Cisco to those who have purchased a license for the software. According to Cisco, "In most cases this will be a maintenance upgrade to software that was previously purchased."
For VPN services that only provide point-to-point VPN connections, an alternative mitigation strategy could be to block all access to the VPN service other than the specific endpoints that need to connect, along with management systems that need to connect. Using Access Control Lists (ACLs) outside of the ASA systems themselves (e.g., a router ACL on a network device “in front of” the ASA system) is recommended in order to fully protect the ASA device from malicious traffic.
Exploit details have been shared publicly, significantly increasing the likelihood of attacks. An attacker could exploit this vulnerability by sending crafted User Datagram Protocol (UDP) packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.
A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.
The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.
Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic.
To determine whether the Cisco ASA is configured to terminate IKEv1 or IKEv2 VPN connections, a crypto map must be configured for at least one interface. Administrators should use the command below and verify that it returns output:
show running-config crypto map | include interface
Questions, Concerns, Reports
Please contact email@example.com.
- Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability (Cisco, 2/10/16)
- Execute My Packet (Exodus Intel)