Severe Vulnerability Affects Cisco ASA VPN Server Equipment

Share this…

Attackers can take over Cisco firewalls and VPN servers. Cisco has released urgent security patches aimed at fixing a security vulnerability in some of its firewall equipment that employs several versions of Cisco Adaptive Security Appliance (ASA).

As Cisco describes it, ASA is the core operating system for the Cisco ASA family of devices that provide enterprise-class firewall capabilities for corporate networks and data centers of all sizes. ASA devices are high-end firewalls that protect sensitive information in corporate environments and at ISP levels.

ASA equipment can also work as a network antivirus, intrusion prevention system, and virtual private network (VPN) server.

Cisco ASA devices configured as VPNs are vulnerable to attacks

Cisco says that some of these ASA devices are vulnerable to an issue in the Internet Key Exchange (IKE) protocol, versions 1 and 2. IKE is a key protocol used together with the IPsec, which is the secure version of IP (Internet Protocol), a core protocol for Internet communications.

Cisco says that attackers can craft a malicious UDP packet, send it to an ASA device, and trigger a buffer overflow. Attackers could then exploit this buffer overflow (memory corruption) issue to restart the device or (more importantly) execute rogue code and take control of the equipment.

The vulnerability, tracked as CVE-2016-1287 and possessing a severity score of 10 out of 10, can be exploited both via IPv4 and IPv6. The only condition is that the ASA device is configured to work as a VPN and that the malicious traffic is sent from a location outside the company’s network.

Over 5.8 million devices with open IKE ports are available online

Since all VPNs must be connected to the Internet to be useful, this means that all ASA devices configured as VPN servers in production environments are vulnerable and can be exploited.

John Matherly, Shodan’s founder, has run a quick scan for equipment with Internet-accessible IKE ports (500 and 4500) and has discovered over 5.87 million exposed devices, of which 3.48 million are running on port 500. Even if not all are ASA devices, we must take into account that Cisco is a market leader in networking equipment, and even if it had 25% or 50% of the market, that would still leave an enormous amount of devices open to attacks.

Cisco says that the following ASA families are vulnerable to the exploit: Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA 5500-X Series Next-Generation Firewalls, Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Cisco ASA 1000V Cloud Firewall, Cisco Adaptive Security Virtual Appliance (ASAv), Cisco Firepower 9300 ASA Security Module, and Cisco ISA 3000 Industrial Security Appliance. The company has issued patches for all affected device families.

Attackers are currently scanning for vulnerable ASA devices

David Barksdale, Jordan Gruskovnjak, and Alex Wheeler of Exodus Intelligence discovered the vulnerability and also penned a technical write-up so that network admins can understand what’s going on during an attack.

Security researchers from the SANS Institute are reporting a spike in scans for Cisco ASA equipment on port 500. The same researchers provided a way for network admins to test their equipment.

Cisco equipment administrators can run the following command to test their device. If the device returns a crypto map, then it’s vulnerable to attacks, and admins should download patches from Cisco’s website.

show running-config crypto map | include interface

IKE ports open on the Internet

IKE ports open on the Internet