Urgent security patches ended up issued by Cisco to fix a vulnerability in some of its firewall equipment that use versions of its Adaptive Security Appliance (ASA) software.
ASA is the core operating system for the Cisco devices that provide enterprise-class firewall capabilities for corporate networks and data centers.
ASA devices are high-end firewalls that protect sensitive information in corporate environments and at ISP levels.
ASA equipment can also work as a network antivirus, intrusion prevention system, and virtual private network (VPN) server.
Some of the ASA devices are vulnerable to an issue in the Internet Key Exchange (IKE) protocol, versions 1 and 2.
IKE is a key protocol used together with the IPsec, which is the secure version of IP (Internet Protocol), a core protocol for Internet communications.
IKE and IPsec are basic protocols that underpin VPN technology. Cisco said the flaw is in the VPN key exchange process.
Cisco said attackers can craft a malicious UDP packet, send it to an ASA device, and trigger a buffer overflow. Attackers could then exploit this buffer overflow (memory corruption) issue to restart the device or (more importantly) execute rogue code and take control of the equipment.
The vulnerability, tracked as CVE-2016-1287 and possessing a severity score of 10 out of 10, can end up exploited via IPv4 and IPv6. The only condition is the ASA device should end up configured to work as a VPN and the malicious traffic comes from a location outside the company’s network.
Since all VPNs must connect to the Internet to be useful, this means all ASA devices configured as VPN servers in production environments are vulnerable.
John Matherly, Shodan’s founder, ran a quick scan for equipment with Internet-accessible IKE ports (500 and 4500) and found over 5.87 million exposed devices, of which 3.48 million are running on port 500. That is not to say all of the devices are ASA-enabled.
The following ASA families are vulnerable: Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA 5500-X Series Next-Generation Firewalls, Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Cisco ASA 1000V Cloud Firewall, Cisco Adaptive Security Virtual Appliance (ASAv), Cisco Firepower 9300 ASA Security Module, and Cisco ISA 3000 Industrial Security Appliance.
The company has issued patches for all affected devices.
David Barksdale, Jordan Gruskovnjak, and Alex Wheeler of Exodus Intelligence discovered the vulnerability and also issued a technical report.