Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
Cisco patched a critical flaw that allowed an unauthenticated, remote attacker to reload the affected Cisco Adaptive Security Appliance (ASA) or remotely execute code on them using the vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software.
Cisco rated the vulnerability with the maximum score of 10 in the Common Vulnerability Scoring System. The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.
Only the traffic which is directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic.
Following products may be affected by this vulnerability:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 9300 ASA Security Module
- Cisco ISA 3000 Industrial Security Appliance
Refer to the “Fixed Software” section of this security advisory for more information about the affected releases.
Cisco ASA Software is affected by this vulnerability if the system is configured to terminate IKEv1 or IKEv2 VPN connections.
This includes the following:
- LAN-to-LAN IPsec VPN
- Remote access VPN using the IPsec VPN client
- Layer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connections
- IKEv2 AnyConnect
Cisco ASA Software is not affected by this vulnerability if the system is configured to terminate only the following VPN connections:
- Clientless SSL
- AnyConnect SSL
How to find if you are vulnerable or not?
To determine whether the Cisco ASA is configured to terminate IKEv1 or IKEv2 VPN connections, a crypto map must be configured for at least one interface.
Administrators should use the show running-config crypto map | include interface command and verify that it returns output. A product is vulnerable if a crypto map is returned. There is no workaround, but Cisco has released patched firmware for affected devices.
The following example shows a crypto map called outside_map configured on the outside interface:
ciscoasa# show running-config crypto map | include interface crypto map outside_map interface outside