[187578] in North American Network Operators' Group
Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and
daemon@ATHENA.MIT.EDU (Andrew (Andy) Ashley)
Thu Feb 11 12:25:38 2016
X-Original-To: nanog@nanog.org
X-Barracuda-Envelope-From: andrew.a@aware.co.th
From: "Andrew (Andy) Ashley" <andrew.a@aware.co.th>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Thu, 11 Feb 2016 14:35:51 +0000
In-Reply-To: <CALNsb6sHjpmfQWahzZdzDG3ds4NRtpZJ6iKYS1uDRwSA0_zbLQ@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
--B_3538053348_671294034
Content-type: text/plain;
charset="UTF-8"
Content-transfer-encoding: 7bit
Is a control-plane ACL to limit isakmp traffic (UDP/500) to an affected ASA from desired sources enough to mitigate this attack, until upgrades can be performed?
Regards,
Andrew Ashley
-----Original Message-----
From: NANOG <nanog-bounces+andrew.a=aware.co.th@nanog.org> on behalf of Adrian M <adrian.minta@gmail.com>
Date: Thursday, 11 February 2016 at 15:53
To: "nanog@nanog.org" <nanog@nanog.org>
Subject: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
>Be careful, It appears that something is broken with ARP on this release.
>We have no ARP on lan interface, and somebody else has a similar problem:
>https://www.reddit.com/r/networking/comments/433kqx/cisco_asa_not_recording_an_arp_entry/
>
>
>
>On Wed, Feb 10, 2016 at 10:36 PM, Sadiq Saif <lists@sadiqs.com> wrote:
>
>> Update your ASAs folks, this is a critical one.
>>
>>
>> -------- Forwarded Message --------
>> Subject: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and
>> IKEv2 Buffer Overflow Vulnerability
>> Date: Wed, 10 Feb 2016 08:06:51 -0800
>> From: Cisco Systems Product Security Incident Response Team
>> <psirt@cisco.com>
>> Reply-To: psirt@cisco.com
>> To: cisco-nsp@puck.nether.net
>> CC: psirt@cisco.com
>>
>> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer
>> Overflow Vulnerability
>>
>> Advisory ID: cisco-sa-20160210-asa-ike
>>
>> Revision 1.0
>>
>> For Public Release 2016 February 10 16:00 GMT (UTC)
>>
>> +---------------------------------------------------------------------
>>
>>
>> Summary
>> =======
>>
>> A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and
>> IKE version 2 (v2) code of Cisco ASA Software could allow an
>> unauthenticated, remote attacker to cause a reload of the affected
>> system or to remotely execute code.
>>
>> The vulnerability is due to a buffer overflow in the affected code area.
>> An attacker could exploit this vulnerability by sending crafted UDP
>> packets to the affected system. An exploit could allow the attacker to
>> execute arbitrary code and obtain full control of the system or to cause
>> a reload of the affected system.
>>
>> Note: Only traffic directed to the affected system can be used to
>> exploit this vulnerability. This vulnerability affects systems
>> configured in routed firewall mode only and in single or multiple
>> context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic.
>>
>> Cisco has released software updates that address this vulnerability.
>> This advisory is available at the following link:
>>
>> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
--B_3538053348_671294034
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIWwgYJKoZIhvcNAQcCoIIWszCCFq8CAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0B
BwGgghRHMIIGDjCCBPagAwIBAgIQfSI+bh1lCy3t459vY2YCXDANBgkqhkiG9w0BAQUFADCB
kzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMH
U2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENPTU9ETyBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xMzA5MTgwMDAw
MDBaFw0xNjA5MTcyMzU5NTlaMIIBHjELMAkGA1UEBhMCVEgxDjAMBgNVBBETBTUwMTQwMRMw
EQYDVQQIEwpDaGlhbmcgTWFpMRIwEAYDVQQHEwlBLlNhcmFwZWUxEzARBgNVBAkTCjI1LzEg
TW9vIDIxIjAgBgNVBAoTGUF3YXJlIENvcnBvcmF0aW9uIExpbWl0ZWQxPzA9BgNVBAsTNklz
c3VlZCB0aHJvdWdoIEF3YXJlIENvcnBvcmF0aW9uIExpbWl0ZWQgRS1QS0kgTWFuYWdlcjEf
MB0GA1UECxMWQ29ycG9yYXRlIFNlY3VyZSBFbWFpbDEWMBQGA1UEAxMNQW5kcmV3IEFzaGxl
eTEjMCEGCSqGSIb3DQEJARYUYW5kcmV3LmFAYXdhcmUuY28udGgwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC00SUs9cTxVa0bQ9KyGHNeBu/+cthrR8ZqO+ddlKCUhbB+lmbq
q+6m203a6SM7jkU40NVVTuw1QBqJzW+XVDZhJQTc3DwKE1bJ3N7c95FBFujP0xc72r4DcrpV
ppDmhdSk1AVujjpl5tyAllQ4zix9cnGVPUCTmAUYVqGdbTgZCP9U0bQqNhzVpiGtGCloMVBP
aYJCRLkps8lgKJY3Wh9dKG/TLxVgjRgVUntaPcJL/r/w4mSP4ljtI+w7J0aNbPW7vOIyPG+L
uByBTdAiq2nhAcBCiGGdDvU7A0378YrqjsHriRWHZAnbCTqjy1do+PAV7ccVoExws3h6gKzX
8AJhAgMBAAGjggHOMIIByjAfBgNVHSMEGDAWgBR6E04AdFvGeGNkJ8Ev4qBbvHnFezAdBgNV
HQ4EFgQU6e0BoOsfvFdUQUHB+tPGw9/jx2wwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQC
MAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGy
MQECAQMFMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMFcG
A1UdHwRQME4wTKBKoEiGRmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0NsaWVudEF1
dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYgGCCsGAQUFBwEBBHwwejBSBggr
BgEFBQcwAoZGaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPQ2xpZW50QXV0aGVudGlj
YXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29t
b2RvY2EuY29tMB8GA1UdEQQYMBaBFGFuZHJldy5hQGF3YXJlLmNvLnRoMA0GCSqGSIb3DQEB
BQUAA4IBAQA81BYN5mYdzj3/nHfE1Bu1nBoDplpRpSKTtto2UkieQVs4hIxD0Aa5cKSn64fG
tsdPUibE83ZM6Ul/Nl9arO/Xf6O6nGSc/xf5/GUqAaho5vDpfguWkdNb4jaFthn88nn++bep
DZzpSyzGjvzR8bg/DfQBjtoAmPdaFxISfoO+q3zn3ttKfBiTENXEGE5llSlUIzaGxxz/mj7V
aAH9kb9yXrKGtH++51Jqe5W0uauTgm2rbPOpIuDatmmRu+gafI8RhvpMqoQrGv52+t6rPeey
OtnILDJQLJIOTBDjzCvO1QC4ti3GGfrV5zZAhvPZy18XY50UMNFrUyY54QZovat8MIIFGjCC
BAKgAwIBAgIQbRnqpxlPajMi5iIyeqpx3jANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwGA1UEChMVVGhl
IFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20x
NjA0BgNVBAMTLVVUTi1VU0VSRmlyc3QtQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBFbWFp
bDAeFw0xMTA0MjgwMDAwMDBaFw0yMDA1MzAxMDQ4MzhaMIGTMQswCQYDVQQGEwJHQjEbMBkG
A1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFD
T01PRE8gQ0EgTGltaXRlZDE5MDcGA1UEAxMwQ09NT0RPIENsaWVudCBBdXRoZW50aWNhdGlv
biBhbmQgU2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
koSEW0tXmNReL4uk4UDIo1NYX2Zl8TJO958yfVXQeExVt0KU4PkncQfFxmmkuTLE8UAakMwn
VmJ/F7Vxaa7lIBvky2NeYMqiQfZq4aP/uN8fSG1lQ4wqLitjOHffsReswtqCAtbUMmrUZ28g
E49cNfrlVICv2HEKHTcKAlBTbJUdqRAUtJmVWRIx/wmi0kzcUtve4kABW0ho3cVKtODtJB86
r3FfB+OsvxQ7sCVxaD30D9YXWEYVgTxoi4uDD216IVfmNLDbMn7jSuGlUnJkJpFOpZIP/+Cx
YP0ab2hRmWONGoulzEKbm30iY9OpoPzOnpDfRBn0XFs1uhbzp5v/wQIDAQABo4IBSzCCAUcw
HwYDVR0jBBgwFoAUiYJnfcSdJnAAS7RQSHzePa4Ebn0wHQYDVR0OBBYEFHoTTgB0W8Z4Y2Qn
wS/ioFu8ecV7MA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMBEGA1UdIAQK
MAgwBgYEVR0gADBYBgNVHR8EUTBPME2gS6BJhkdodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20v
VVROLVVTRVJGaXJzdC1DbGllbnRBdXRoZW50aWNhdGlvbmFuZEVtYWlsLmNybDB0BggrBgEF
BQcBAQRoMGYwPQYIKwYBBQUHMAKGMWh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9VVE5BZGRU
cnVzdENsaWVudF9DQS5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5j
b20wDQYJKoZIhvcNAQEFBQADggEBAIXWvnhXVW0zf0RS/kLVBqgBA4CK+w2y/Uq/9q9BSfUb
WsXSrRtzbj7pJnzmTJjBMCjfy/tCPKElPgp11tA9OYZm0aGbtU2bb68obB2v5ep0WqjascDx
dXovnrqTecr+4pEeVnSy+I3T4ENyG+2P/WA5IEf7i686ZUg8mD2lJb+972DgSeUWyOs/Q4Pw
4O4NwdPNM1+b0L1garM7/vrUyTo8H+2b/5tJM75CKTmD7jNpLoKdRU2oadqAGx490hpdfEeZ
pZsIbRKZhtZdVwcbpzC+S0lEuJB+ytF5OOu0M/qgOl0mWJ5hVRi0IdWZ1eBDQEIwvuql55TS
sP7zdfl/bucwggTdMIIDxaADAgECAhBxkvvmGV+sTRKFdHE0ohinMA0GCSqGSIb3DQEBBQUA
MHsxCzAJBgNVBAYTAkdCMRswGQYDVQQIDBJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcM
B1NhbGZvcmQxGjAYBgNVBAoMEUNvbW9kbyBDQSBMaW1pdGVkMSEwHwYDVQQDDBhBQUEgQ2Vy
dGlmaWNhdGUgU2VydmljZXMwHhcNMDQwMTAxMDAwMDAwWhcNMjgxMjMxMjM1OTU5WjCBrjEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwG
A1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0
cnVzdC5jb20xNjA0BgNVBAMTLVVUTi1VU0VSRmlyc3QtQ2xpZW50IEF1dGhlbnRpY2F0aW9u
IGFuZCBFbWFpbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALI5haTyfatBO2JG
N67NwWB1vDll+UoaR6K5zEjMapjVTTUZuaRC5c5J4oovHnzSMQfHTrSDZJ0uKdWiZMSFvYVR
NXmkTmiQexx6pJKoF/KYFfKTzMmkMpW7DE8wvZigC4vlbhuiRvp4vKJvq1lepS/Pytptqi/r
rKGzaqq3Lmc1i3nhHmmI4uZGzaCl6r4LznY6eg6b6vzaJ1s9cx8i5khhxkzzabGoLhu21DEg
LLyCio6kDqXXiUP8FlqvHXHXEVnauocNr/rz4cLwpMVnjNbWVDreCqS6A3ezZcj9HtN0YqoY
ymiTHqGFfvVHZcv4TVcodNI0/zC27vZiMBSMLOsCAwEAAaOCAScwggEjMB8GA1UdIwQYMBaA
FKARCiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBSJgmd9xJ0mcABLtFBIfN49rgRufTAO
BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
KwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMHsGA1UdHwR0MHIwOKA2oDSGMmh0dHA6Ly9j
cmwuY29tb2RvY2EuY29tL0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDagNKAyhjBodHRw
Oi8vY3JsLmNvbW9kby5uZXQvQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwEQYJYIZIAYb4
QgEBBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCdlcs8uH6lCcQevwvCx3aOOTyUxhCqTwzJ
4KuEXYlU4GU7820cfDcsJVRfliH8N4SRnRXcFE+Bz1Qda2xFYMct+ZdRTPlmyjyggoymyPDi
6dRK+ew/VsnddozDggFPbADzHhphdARHA6nGQFeRvGUixSdnT1fbZFrZjR+6hi/0Bq6cae3p
9M8pF9jgSp8aIC+XTFG7RgfEijdOIOMJMWjHnsSLneh+EbwyaBCWEZhE2CpRYE2I63Q630MG
Msg5Vow6EVLTQaRDA/Tt7zMn2zngFE4mydj1OeKJuJNdtykmQeqzm66D/Hd1yujKtf7iZUpj
PkTE0MNeh3OpmByvfxV/MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYD
VQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3Jk
MRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmljYXRl
IFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezELMAkGA1UEBhMC
R0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgG
A1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2
aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbI
gwadwSr+GB+O5AL686tdUIoWMQuaBtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoS
CsN6sjNg4tqJVfMiWPPe3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92
IFCokcdmtet4YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsX
eDZRrOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cmez6K
JcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQUoBEKIz6W8Qfs
4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wewYDVR0fBHQw
cjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNl
cy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZp
Y2VzLmNybDANBgkqhkiG9w0BAQUFAAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwU
SWgEdujm7l3sAg9g1o1QGE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5
dIa2LX1rzNLzRt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtl
bgT2G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsil2D4
kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3smPi9WIsgtRq
AEFQ8TmDn5XpNpaYbjGCAj8wggI7AgEBMIGoMIGTMQswCQYDVQQGEwJHQjEbMBkGA1UECBMS
R3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8g
Q0EgTGltaXRlZDE5MDcGA1UEAxMwQ09NT0RPIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQg
U2VjdXJlIEVtYWlsIENBAhB9Ij5uHWULLe3jn29jZgJcMA0GCWCGSAFlAwQCAQUAoGkwLwYJ
KoZIhvcNAQkEMSIEIHdXWMcyBDv8zLLPPoKgFRwpi2qVCdnp1oehWj+C26VjMBgGCSqGSIb3
DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE2MDIxMTE0MzU0OFowDQYJKoZI
hvcNAQEBBQAEggEAR/Y9uojEvDuGDchVoGvuUMPlLDVMrz43Xw+i/Gsz8cWfVPO+b/xNXPzc
Sw6gXZu5WTuP5THVs9EPaWHssUcpfIJ/rqeavTk7QephnKXPMMReVJPj5FgLJNbsGlNgmn3o
M1FkhygrtuumstpQxI4TNNXiX5s2YvIpeckqlaMNZojTC2FW+pefqpU4mD5YbQxKjF2U4POi
nJmcllEzTYhAfzWiU3ZgyPS41nc6uUJco+qT9oCWCayq4Q1krq8lBGK6mlbrlbL/0XhVsOTS
+UIUsVGUe2KkUp3gMp65QeRI0DlZCH0dUKenSfvhPzHIE0szsNyKwNiUAvDfbF6bWnnSzA==
--B_3538053348_671294034--
