Million CISCO ASA Firewalls potentially vulnerable to attacks

A flaw in Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

It’s a bad period for IT manufacturers, recently the security community has discovered serious and anomalous  vulnerabilities affecting popular products like Juniper equipment and Fortinet Forti OS firewalls.

Now, it is now the turn of Cisco, the product line Cisco ASA firewall, a family of devices that is offered for sale as an appliance, blades or even virtual systems.

The Cisco ASA Adaptive Security Appliance is an IP router that acts as an application-aware firewall, network antivirus, intrusion prevention system, and virtual private network (VPN) server.

The part of this that is most pressing is that Cisco claims that there are over a million of these deployed.

Security experts David Barksdale, Jordan Gruskovnjak, and Alex Wheeler of Exodus Intelligence have discovered a critical buffer overflow vulnerability (CVE-2016-1287) that received a CVSS (Common Vulnerability Scoring System) score of 10.

“The algorithm for re-assembling IKE payloads fragmented with the Cisco fragmentation protocol contains a bounds-checking flaw that allows a heap buffer to be overflowed with attacker-controlled data. A sequence of payloads with carefully chosen parameters causes a buffer of insufficient size to be allocated in the heap which is then overflowed when fragment payloads are copied into the buffer. Attackers can use this vulnerability to execute arbitrary code on affected devices.” is the summary published by Exodus Intel.

It is quite easy for an attacker to exploit the vulnerability in CISCO ASA by sending crafted UDP packets to the vulnerable system. An exploit could allow the attacker to obtain full control of the system

The impact is serious considering that over a million of CISCO ASA firewall has been already deployed worldwide.

“A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the Advisory published by CISCO.

“The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.”

Which are the affected devices?

The Cisco ASA Software running on the following products may be affected by this vulnerability:

Cisco ASA 5500 Series Adaptive Security Appliances
Cisco ASA 5500-X Series Next-Generation Firewalls
Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Cisco ASA 1000V Cloud Firewall
Cisco Adaptive Security Virtual Appliance (ASAv)
Cisco Firepower 9300 ASA Security Module
Cisco ISA 3000 Industrial Security Appliance

If you have one of them patch it as soon as possible.

Pierluigi Paganini

(Security Affairs – Cisco ASA firewall, hacking)