[187586] in North American Network Operators' Group
Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and
daemon@ATHENA.MIT.EDU (Marco Teixeira)
Fri Feb 12 04:34:58 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <20160211180608.GC15156@DOIT-2NW1MRFY-X.doit.wisc.edu>
From: Marco Teixeira <admin@marcoteixeira.com>
Date: Fri, 12 Feb 2016 09:34:15 +0000
To: "Dale W. Carder" <dwcarder@wisc.edu>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Hi,
First, understand how it's done, then maybe you can think of something.
https://blog.exodusintel.com/2016/02/10/firewall-hacking/
If you are stopping IKE with ACL's, you probably need to address NAT-T as
well (udp:4500).
But if you are doing that, you probably don't need IKE active at the ASA,
so just disabling it all together will probably do the trick.=E2=80=8B
---
Best regards
=E2=80=8BM=E2=80=8B
arco Teixeira
---
On Thu, Feb 11, 2016 at 6:06 PM, Dale W. Carder <dwcarder@wisc.edu> wrote:
> Thus spake Andrew (Andy) Ashley (andrew.a@aware.co.th) on Thu, Feb 11,
> 2016 at 02:35:51PM +0000:
> > Is a control-plane ACL to limit isakmp traffic (UDP/500) to an affected
> ASA from desired sources enough to mitigate this attack, until upgrades c=
an
> be performed?
>
> It's worth noting that is not listed as a workaround (they typically use
> branding like "infrastructure acl's" or some such) to mitigate it on the
> affected box. Upstream, yes that would seem to be intuitive.
>
> Perhaps because you are corrupting the heap with fragments you are
> outside of where the ACL is applied?
>
> Dale
>
