Vulnerability Note VU#327976
Cisco Adaptive Security Appliance (ASA) IKEv1 and IKEv2 contains a buffer overflow vulnerability
Cisco Adaptive Security Appliance (ASA) Internet Key Exchange versions 1 and 2 (IKEv1 and IKEv2) contains a buffer overflow vulnerability that may be leveraged to gain remote code execution.
CWE-119: Improper Restriction of Operations within the Bound of a Memory Buffer - CVE-2016-1287
According to the advisory by Exodus Intelligence:
Systems that are configured to terminate IKEv1 and IKEv2 VPN connections are vulnerable to exploitation. The Cisco security advisory describes how to determine if a system is configured in a vulnerable manner by checking the running crypto maps.
By sending specially crafted UDP packets directly to affected devices, a remote, unauthenticated attacker may be able to execute arbitrary code and gain full control of affected systems.
Apply an update
Detect and filter malicious packets
Network administrators may consider implementing rules to detect or block attacks.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Cisco||Affected||-||11 Feb 2016|
CVSS Metrics (Learn More)
Cisco credits David Barksdale, Jordan Gruskovnjak, and Alex Wheeler of Exodus Intelligence for reporting this vulnerability.
This document was written by Joel Land.
- CVE IDs: CVE-2016-1287
- Date Public: 11 Feb 2016
- Date First Published: 11 Feb 2016
- Date Last Updated: 16 Feb 2016
- Document Revision: 13
If you have feedback, comments, or additional information about this vulnerability, please send us email.