[c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

Adrian M adrian.minta at gmail.com
Mon Feb 15 12:16:13 UTC 2016


In previous release 9.1(6) this line was ok:
nat (inside,outside) source static obj-1.0.0.36_32 obj-1.0.0.36_32
destination static obj-1.0.0.36_32 obj-1.0.0.36_32

In 9.1.(7) wasn't working anymore, so the solution was to add *no-proxy-arp
*at the end:
nat (inside,outside) source static obj-1.0.0.36_32 obj-1.0.0.36_32
destination static obj-1.0.0.36_32 obj-1.0.0.36_32 *no-proxy-arp*

On Mon, Feb 15, 2016 at 1:48 PM, Roberto <roberto at ipnetworks.it> wrote:

> Hello,
>
>
>
> excuse me for this direct email: but about the
> https://www.reddit.com/r/networking/comments/433kqx/cisco_asa_not_recording_an_arp_entry/
>
>
>
> "
>
> upgraded from 9.0(5) to 9.1(7)
>
> "
>
>
>
> Solved !
>
> "Disable Proxy ARP" must be checked on NAT bypass rules (former nat 0).
>
>
>
>
>
>
>
> are you indicating for example
>
> that previously on 9.0(5) was:
>
> nat (inside,outside) source static obj-1.0.0.36_32 obj-1.0.0.36_32
> destination static obj-1.0.0.36_32  obj-1.0.0.36_32 route-lookup
>
>
>
> and now on 9.1(7) is:
>
> nat (inside,outside) source static obj-1.0.0.36_32 obj-1.0.0.36_32
> destination static obj-1.0.0.36_32 obj-1.0.0.36_32 *no-proxy-arp*
> route-lookup
>
>
>
>
>
>
>
>
>
>
>
>
>
> Best Regards,
>
> _________________________________
>
> Roberto Taccon
>
>
>
> e-mail: roberto at ipnetworks.it
>
> mobile: +39 340 4751352
>
> fax: +39 045 4850850
>
> skype: roberto.taccon
>
>
>
> -----Messaggio originale-----
> Da: NANOG [mailto:nanog-bounces at nanog.org] Per conto di Adrian M
> Inviato: lunedì 15 febbraio 2016 10.06
> A: nanog at nanog.org
> Oggetto: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and
> IKEv2 Buffer Overflow Vulnerability
>
>
>
> Solved !
>
> "Disable Proxy ARP" must be checked on NAT bypass rules (former nat 0).
>
>
>
> On Thu, Feb 11, 2016 at 3:53 PM, Adrian M <adrian.minta at gmail.com> wrote:
>
>
>
> > Be careful, It appears that something is broken with ARP on this release.
>
> > We have no ARP on lan interface, and somebody else has a similar problem:
>
> >
>
> > https://www.reddit.com/r/networking/comments/433kqx/cisco_asa_not_reco
>
> > rding_an_arp_entry/
>
> >
>
> >
>
> >
>
> > On Wed, Feb 10, 2016 at 10:36 PM, Sadiq Saif <lists at sadiqs.com> wrote:
>
> >
>
> >> Update your ASAs folks, this is a critical one.
>
> >>
>
> >>
>
> >> -------- Forwarded Message --------
>
> >> Subject: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1
>
> >> and
>
> >> IKEv2 Buffer Overflow Vulnerability
>
> >> Date: Wed, 10 Feb 2016 08:06:51 -0800
>
> >> From: Cisco Systems Product Security Incident Response Team
>
> >> <psirt at cisco.com>
>
> >> Reply-To: psirt at cisco.com
>
> >> To: cisco-nsp at puck.nether.net
>
> >> CC: psirt at cisco.com
>
> >>
>
> >> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer
>
> >> Overflow Vulnerability
>
> >>
>
> >> Advisory ID: cisco-sa-20160210-asa-ike
>
> >>
>
> >> Revision 1.0
>
> >>
>
> >> For Public Release 2016 February 10 16:00  GMT (UTC)
>
> >>
>
> >> +--------------------------------------------------------------------
>
> >> +-
>
> >>
>
> >>
>
> >> Summary
>
> >> =======
>
> >>
>
> >> A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and
>
> >> IKE version 2 (v2) code of Cisco ASA Software could allow an
>
> >> unauthenticated, remote attacker to cause a reload of the affected
>
> >> system or to remotely execute code.
>
> >>
>
> >> The vulnerability is due to a buffer overflow in the affected code area.
>
> >> An attacker could exploit this vulnerability by sending crafted UDP
>
> >> packets to the affected system. An exploit could allow the attacker
>
> >> to execute arbitrary code and obtain full control of the system or to
>
> >> cause a reload of the affected system.
>
> >>
>
> >> Note: Only traffic directed to the affected system can be used to
>
> >> exploit this vulnerability. This vulnerability affects systems
>
> >> configured in routed firewall mode only and in single or multiple
>
> >> context mode. This vulnerability can be triggered by IPv4 and IPv6
>
> >> traffic.
>
> >>
>
> >> Cisco has released software updates that address this vulnerability.
>
> >> This advisory is available at the following link:
>
> >>
>
> >> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
>
> >> cisco-sa-20160210-asa-ike
>
> >>
>
> >>
>
> >>
>
> >> _______________________________________________
>
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> >>
>
> >>
>
> >>
>
> >
>


More information about the NANOG mailing list