Buffer Overflow Vulnerability in Cisco ASA Software Products Could Allow for Remote Code Execution
MS-ISAC ADVISORY NUMBER:2016-031
A buffer overflow vulnerability has been discovered in Cisco ASA Adaptive Security Appliances. Successful exploitation could allow an unauthenticated user to take control of the affected system and perform unauthorized actions.
This exploit has been publicly disclosed. There are currently no reports of these vulnerabilities being exploited in the wild.
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 9300 ASA Security Module
- Cisco ISA 3000 Industrial Security Appliance
- Large and medium government entities: HIGH
- Small government entities: HIGH
- Large and medium business entities: HIGH
- Small business entities: HIGH
Cisco ASA Software IKEv1 and IKEv2 are prone to a buffer overflow vulnerability that could allow for an unauthenticated user to cause a reload of the affected system or to remotely execute code. The algorithm for re-assembling Internet Key Exchange (IKE) payloads fragmented with the Cisco fragmentation protocol contains a bounds-checking flaw that allows a heap buffer to be overflowed with specially crafted UDP packets.
We recommend the following actions be taken:
Install updates provided by Cisco immediately after appropriate testing.
Verify no unauthorized system modifications have occurred on system before applying patch.
Monitor intrusion detection systems for any signs of anomalous activity.
Unless required, limit external network access to affected products.