[c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

• Previous message (by thread): [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
• Next message (by thread): [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Is a control-plane ACL to limit isakmp traffic (UDP/500) to an affected ASA from desired sources enough to mitigate this attack, until upgrades can be performed?

Regards,

Andrew Ashley




-----Original Message-----
From: NANOG <nanog-bounces+andrew.a=aware.co.th at nanog.org> on behalf of Adrian M <adrian.minta at gmail.com>
Date: Thursday, 11 February 2016 at 15:53
To: "nanog at nanog.org" <nanog at nanog.org>
Subject: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

>Be careful, It appears that something is broken with ARP on this release.
>We have no ARP on lan interface, and somebody else has a similar problem:
>https://www.reddit.com/r/networking/comments/433kqx/cisco_asa_not_recording_an_arp_entry/
>
>
>
>On Wed, Feb 10, 2016 at 10:36 PM, Sadiq Saif <lists at sadiqs.com> wrote:
>
>> Update your ASAs folks, this is a critical one.
>>
>>
>> -------- Forwarded Message --------
>> Subject: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and
>> IKEv2 Buffer Overflow Vulnerability
>> Date: Wed, 10 Feb 2016 08:06:51 -0800
>> From: Cisco Systems Product Security Incident Response Team
>> <psirt at cisco.com>
>> Reply-To: psirt at cisco.com
>> To: cisco-nsp at puck.nether.net
>> CC: psirt at cisco.com
>>
>> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer
>> Overflow Vulnerability
>>
>> Advisory ID: cisco-sa-20160210-asa-ike
>>
>> Revision 1.0
>>
>> For Public Release 2016 February 10 16:00  GMT (UTC)
>>
>> +---------------------------------------------------------------------
>>
>>
>> Summary
>> =======
>>
>> A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and
>> IKE version 2 (v2) code of Cisco ASA Software could allow an
>> unauthenticated, remote attacker to cause a reload of the affected
>> system or to remotely execute code.
>>
>> The vulnerability is due to a buffer overflow in the affected code area.
>> An attacker could exploit this vulnerability by sending crafted UDP
>> packets to the affected system. An exploit could allow the attacker to
>> execute arbitrary code and obtain full control of the system or to cause
>> a reload of the affected system.
>>
>> Note: Only traffic directed to the affected system can be used to
>> exploit this vulnerability. This vulnerability affects systems
>> configured in routed firewall mode only and in single or multiple
>> context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic.
>>
>> Cisco has released software updates that address this vulnerability.
>> This advisory is available at the following link:
>>
>> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5830 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20160211/782767b6/attachment.bin>

• Previous message (by thread): [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
• Next message (by thread): [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]