On February 10, Cisco Systems published a vulnerability relating to the VPN function in the Cisco ASA software. This vulnerability is listed as CVE-2016-1287 and relates to the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) function of the ASA.

With this vulnerability, a remote attacker could send a crafted User Datagram Protocol (UDP) packet to an affected device and cause a reload of the system – or even worse – remote code execution to gain full control of the system.

Here’s a list of the affected products:

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco ISA 3000 Industrial Security Appliance

If you use any of the above-listed products to terminate LAN-to-LAN or remote access VPN connections, you are probably affected by this vulnerability. To verify, issue the show running-config crypto map | include interface command on the firewall. This will display any interfaces that have IKEv1 or IKEv2 enabled.

Here’s the output of a system that is vulnerable.

ciscoasa# show running-config crypto map | include interface

crypto map outside_map interface outside

The first line is running the command on the firewall and the second line shows us that there is a VPN configured on the outside interface of the ASA, so this system is now vulnerable to anyone on the Internet.

Cisco is making the fixed software available to any affected customer free of charge and the table below can help you see what the migration path might look like to remedy the issue:

Table of Affected Software versions with their fixes

Cisco ASA Major Release: First Fixed Release:
7.21 Affected; migrate to 9.1(7) or later
8.21 Affected; migrate to 9.1(7) or later
8.31 Affected; migrate to 9.1(7) or later
8.4 8.4(7.30)
8.51 Not affected
8.61 Affected; migrate to 9.1(7) or later
8.7 8.7(1.18)
9.0 9.0(4.38)
9.1 9.1(7)
9.2 9.2(4.5)
9.3 9.3(3.7)
9.4 9.4(2.4)
9.5 9.5(2.2)

1Cisco ASA Software releases 7.2, 8.2, 8.3, 8.5, and 8.6 have reached End of Software Maintenance. Customers should migrate to a supported release.

Let’s take a moment to bring this all together. Cisco has rated this vulnerability as critical and it can be exploded remotely, so it is very serious. There is no workaround and almost every version of code on the platforms is vulnerable, so you need to upgrade.

If you haven’t already applied the fixed version(s) of the software to your devices, you should be putting a plan in place to make it happen, because shortly after publishing to vulnerability, the SANS Internet Storm Center reported a large increase in traffic relating to this type attack.

For more from Cisco, click here or check out a deeper analysis of the issue by Exodus Intelligence.

At any point, if you have questions or need assistance, CDW is here to help. We have industry experts that work with these products day-in and day-out who can provide you with best-in-class assistance. Feel free to leave a comment below or contact your account manager for more details.