Cisco has patched a ‘critical’ buffer overflow vulnerability affecting the Internet Key Exchange (IKE) implementation in Cisco ASA. The company published a security advisory for CVE-2016-1287 on Wednesday the 10th Feb. The flaw, originally discovered by researchers at Exodus Intelligence, means that the ASA devices connected to the Internet could be completely compromised.
Cisco’s advisory states that a vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.
SANS Internet Storm Center (ISC) has recorded a spike in active scanning for UDP Port 500, a channel through which an exploit would likely arrive, since the vulnerability went public.
A system administrator can also test to see if a device is vulnerable by checking the device’s crypto maps by issuing the following command in the management console:
ciscoasa# show running-config crypto map | include interface
If a crypto map is returned, the device is vulnerable.
Cisco has released software updates that address the vulnerability. It is recommended that system administrators roll these out as soon as possible.