Sign in / up

back to article Cisco security kit wide-open to IKE bug

Patch it now and don't wait: Cisco has announced that a bunch of its Adaptive Security Appliance (ASA) products are vulnerable to a remote code execution bug. The problem is in how the ASA products reassemble fragmented Internet Key Exchange (IKE) payloads. Cisco's implementation of the fragmentation protocol has a bounds- …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. hmmm

    This should have greater prominence

    CVSS score of 10, unauthenticated, remote exploit for a feature typically used Enterprise customers with slow change management cycles - this is one of the worst corporate security bugs I've seen in years, particularly as the finders have published a very detailed description of their findings complete with shellcode.

    2 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: This should have greater prominence

      Just to re-iterate how scary this is:

      someone can establish a command shell to you ASA and potentially make configuration changes IF you have IKEv1/v2 enabled AND an ACL that allows udp/500 or udp/4500. i.e. if you are using the ASA for site-to-site VPN tunnels or Cisco VPN client remote access or AnyConnect remote access using IKE.

      Details:

      https://blog.exodusintel.com/2016/01/26/firewall-hacking/

      3 0 Reply
    2. Tarxien
      Reply Icon

      Re: This should have greater prominence

      Agreed. There's an awful lot of people out there stuck on 8.2.5 who will either:

      1. Need hardware upgrades to get to a fixed version

      2. Will be scared of going post 8.3 for fear of breaking stuff

      3. Both

      2 0 Reply
  2. Giles C Silver badge

    There is a fix out there that has been published by one company. Do not apply it. I spend 8 hours yesterday rebuilding a firewall that had the fix applied. It is so bad it broke Cisco TAC I.e. 4 hour wait for a P1 incident due to the number of firewalls that it had bricked.

    0 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    it's IKE all over

    Just got updated by two vendors (coincidentally in the same product space) that have been nailed this week. Why isn't this being pushed more in the industry rags? Scanning on port 500 is up, our vendors seem to be slack in patching and are getting hacked.... why is everything so quiet on this? Ideas on a postcard please.

    Anon, coz the boss reads this.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like