Is a control-plane ACL to limit isakmp traffic (UDP/500) to an affected ASA from desired sources enough to mitigate this attack, until upgrades can be performed?
Regards, Andrew Ashley -----Original Message----- From: NANOG <nanog-bounces+andrew.a=aware.co...@nanog.org> on behalf of Adrian M <adrian.mi...@gmail.com> Date: Thursday, 11 February 2016 at 15:53 To: "nanog@nanog.org" <nanog@nanog.org> Subject: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability >Be careful, It appears that something is broken with ARP on this release. >We have no ARP on lan interface, and somebody else has a similar problem: >https://www.reddit.com/r/networking/comments/433kqx/cisco_asa_not_recording_an_arp_entry/ > > > >On Wed, Feb 10, 2016 at 10:36 PM, Sadiq Saif <li...@sadiqs.com> wrote: > >> Update your ASAs folks, this is a critical one. >> >> >> -------- Forwarded Message -------- >> Subject: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and >> IKEv2 Buffer Overflow Vulnerability >> Date: Wed, 10 Feb 2016 08:06:51 -0800 >> From: Cisco Systems Product Security Incident Response Team >> <ps...@cisco.com> >> Reply-To: ps...@cisco.com >> To: cisco-...@puck.nether.net >> CC: ps...@cisco.com >> >> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer >> Overflow Vulnerability >> >> Advisory ID: cisco-sa-20160210-asa-ike >> >> Revision 1.0 >> >> For Public Release 2016 February 10 16:00 GMT (UTC) >> >> +--------------------------------------------------------------------- >> >> >> Summary >> ======= >> >> A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and >> IKE version 2 (v2) code of Cisco ASA Software could allow an >> unauthenticated, remote attacker to cause a reload of the affected >> system or to remotely execute code. >> >> The vulnerability is due to a buffer overflow in the affected code area. >> An attacker could exploit this vulnerability by sending crafted UDP >> packets to the affected system. An exploit could allow the attacker to >> execute arbitrary code and obtain full control of the system or to cause >> a reload of the affected system. >> >> Note: Only traffic directed to the affected system can be used to >> exploit this vulnerability. This vulnerability affects systems >> configured in routed firewall mode only and in single or multiple >> context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. >> >> Cisco has released software updates that address this vulnerability. >> This advisory is available at the following link: >> >> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-...@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >>
smime.p7s
Description: S/MIME cryptographic signature
