Cisco ASA Critical Vulnerability: What is the Problem, and How to Protect

Researchers at Exodus Intelligence David Barksdale, Jordan Gruskovnyak and Alex Wheeler discovered a critical vulnerability in Cisco ASA firewalls. A security bug allows a remote unauthorized user to execute arbitrary code or reboot the device.

What is the problem

The CVSS CVE-2016-1287 was given the highest 10 rating, which only extremely dangerous security errors receive. To successfully exploit the vulnerability, you need to send specially formed UDP packets to the target system.
')
The vulnerability is contained in IKE (Internet Key Exchange) v1 and v2 firewall software modules. The error leads to the fact that the sequence of a specially-formed UDP packet causes a buffer overflow, which leads to the possibility of remote code execution (RCE). Thus, the vulnerability can be exploited on systems configured to accept VPN connections over IKEv1 or IKEv2. Devices configured to work with Clientless SSL and AnyConnect SSL VPN connections are not affected by this error.

A security bulletin is published on the Cisco website that lists the vulnerable devices:

• Cisco ASA 5500 Series Adaptive Security Appliances
• Cisco ASA 5500-X Series Next-Generation Firewalls
• Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• Cisco ASA 1000V Cloud Firewall
• Cisco Adaptive Security Virtual Appliance (ASAv)
• Cisco Firepower 9300 ASA Security Module
• Cisco ISA 3000 Industrial Security Appliance

As stated in the message of Cisco, at the moment there is no information that the attackers managed to carry out an attack using the detected vulnerability.

Nevertheless, the technical director of SANS ISC Johannes Ulrich in a statement published on the organization’s website noted the greatly increased traffic to UDP ports 500 and 400 - the specialist assumes that the exploit will be distributed in this way.

How to protect

Administrators of Cisco ASA devices, versions of which are listed as vulnerable, and on which the manufacturer recommended security updates have not yet been installed, can check whether their equipment is vulnerable using the following command:

ciscoasa# show running-config crypto map | include interface 

If the team returns the crypto map, then the device is vulnerable.

Exodus researchers also described ways to detect attempts to exploit a vulnerability in their material. According to them, device administrators need to analyze the values ​​of the Fragment Payload (type 132) IKEv2 or IKEv1 length field. If the field value is less than 8 bytes, then experts recommend considering such a case as an attempt at exploitation.

The Cisco Security Bulletin also contains information about patches for vulnerable devices. The company recommends that Cisco hardware administrators install updates as soon as possible.

In addition, there are Cisco ASA versions (7.2, 8.2, 8.3, and 8.6) that are also vulnerable, but are no longer supported by the manufacturer. For these devices, a patch covering the vulnerability will not be released. Owners of such equipment need only replace it with newer devices or use specialized protection tools to detect packages generated by hackers — this can be done using DPI. The vulnerability of network equipment can also be detected using the MaxPatrol 8 security and compliance system.



The Cisco ASA vulnerability is not the first security bug that has recently been detected in products from well-known network security solution providers. So at the end of December 2015, information about a backdoor in Juniper firewalls got into the press. In addition, Fortinet, a manufacturer of security tools, was in the center of the scandal - security products for remote access were found in its products.