The Cisco Adaptive Security Appliance (ASA) is vulnerable to a remote code execution vulnerability (CVE-2016-1287). This vulnerability was publicly disclosed on Cisco’s website at 16:00 on the 10th February and affects numerous devices and versions.
At the time of writing there were no denial of service (DoS) or remote code execution (RCE) exploits currently available or known to exist publicly, however there is only a matter of time before a working exploit has been developed and code is made available publicly or for sale.
The vulnerability affects the (Internet Key Exchange) IKE protocols within the IPsec protocol suite that are used to establish VPN connections.
Cisco provide a feature on their ASA appliances providing the fragmentation of large IKE packets. When large IKE packet fragments are received, they are assembled by the Cisco fragmentation protocol however the code implementing this protocol contains a bounds-checking flaw similar to the HeartBleed vulnerability from 2014. This flaw allows an attacker to cause a buffer overflow, specifically a heap overflow, with attacker provided data.
The vulnerability itself is caused by sending a sequence of specifically crafted packets, causing the heap that is expecting fragmented packets to be set too small. The insufficiently sized memory buffer is then overflowed when the attacker’s payload is copied into the buffer, causing an access violation during reassembly of the fragmented IKE packets.
Attackers can leverage this access violation to perform a Denial of Service (DoS) attack against the ASA appliance. However, several contributing flaws may allow attackers to perform Remote Code Execution (RCE), which may see working exploits in the wild within the near future due to the high profile nature of this vulnerability.
To execute any attack against an ASA device an attacker must leverage a re-initialization flaw, 2 logic flaws and an input validation flaw to control the memory execution flow to run arbitrary code on the appliance.
Is my organization vulnerable
Currently there is no detection methods available other than manually identifying the services, however Cisco have provided a list of devices and the vulnerable software versions on their website. The following devices running ASA software may be affected:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 9300 ASA Security Module
- Cisco ISA 3000 Industrial Security Appliance
The following versions of ASA are vulnerable:
- 7.2 (End of life)
- 8.2 (End of life)
- 8.3 (End of life)
- 8.4 (prior to release 7.30)
- 8.6 (End of life)
- 8.7 (prior to release 1.18)
- 9.0 (prior to release 4.38)
- 9.1 (prior to release 7)
- 9.2 (prior to release 4.5)
- 9.3 (prior to release 3.7)
- 9.4 (prior to release 2.4)
- 9.5 (prior to release 2.2)
SureCloud Platform scanning
A detection method using SureCloud Vulnerability Manager has been established, and a Tool Policy template has been created for customers that use this service. To use this policy template to identify any vulnerable ASAs please use the ‘Vulnerability: Cisco ASA RCE (CVE-2016-1287)’ Tool Policy within your vulnerability scans.
A patch is available from the Cisco Advisory article. Please see the information from Cisco regarding the necessary updates for your devices.
Cisco IKE Fragmentation
Detailed CVE-2016-1287 Exploitation Breakdown
Cisco Advisory – Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
Get in touch
Should you have any questions regarding this or any security matter, please do not hesitate to get in touch by opening a support ticket or emailing SureCloud Support.
Whilst every effort is made to ensure the accuracy and robustness of any information presented, it is not possible for SureCloud to test every possible scenario an organisation may face, and SureCloud cannot be held liable for any loss or damage which may arise from taking action on any of the contents provided. SureCloud strongly advises that all recommendations, solutions and detection methods detailed, are thoroughly reviewed and tested in non-production environments before being considered suitable for production release, in-line with any existing internal change control procedures.