Blog: How Tos

Cisco ASA Remote Code Execution – Buffer Overflow in IKE code

Ken Munro 16 Feb 2016

It seems there is a buffer overflow in the IKE V1 and IKE V2 handling code of Cisco ASA devices.

This means that the standard configuration of a great number of border firewalls is going to put them at risk of compromise – as IKE tends to accept packets anywhere from the Internet. The only issue now is how long it will take for exploit code to be developed.

The relevant portion of the advisory is:
“An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.”

It is also the case that a lot of organisations do not have active support contracts on their ASAs and thus will not be able to obtain the patched firmware.

What can you do?

This looks to be extremely serious – if you can, patch as described here:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

If you can’t immediately patch, then we suggest the workaround described here:
http://info.stack8.com/blog/cisco-cve-2016-1287-network-vulnerability-and-mitigation

The latter solution essentially involves dropping all IKE traffic that is not coming from a known peer.

Because of how widespread the deployment of ASA devices is, this has the potential to be a huge problem, if exploit code becomes widely available.