Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco Adaptive Security Appliance (ASA) products – appliances, firewalls, switches, routers, and security modules – have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

The vulnerability (CVE-2016-1287) is critical, as it can be exploited by an unauthenticated, remote attacker by sending crafted UDP packets to the affected system.

Cisco ASA 5500-X Series Next-Generation Firewall

Cisco ASA Software is affected if the system is configured to terminate Internet Key Exchange (IKE) v1 or IKE v2 VPN connections, and not if the system is configured to terminate Clientless SSL and AnyConnect SSL VPN connections.

A full list of affected products can be found in this security advisory, and includes Cisco ASA 5500-X Series Next-Generation Firewalls and Cisco ISA 3000 Industrial Security Appliances.

“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory,” the company pointed out.

SANS ISC CTO Johannes Ullrich says that the exploit would likely arrive over UDP port 500 or possibly 4500, and that they are seeing a large increase in port 500/UDP traffic.

Luckily, Cisco has released patched firmware for affected devices, and admins are advised to patch them as soon as possible, as there are no workarounds available.

“To determine whether the Cisco ASA is configured to terminate IKEv1 or IKEv2 VPN connections, a crypto map must be configured for at least one interface. Administrators should use the show running-config crypto map | include interface command and verify that it returns output,” the company helpfully explained.

For more technical details about the flaw and its possible exploitation, check out this blog post by the three Exodus Intelligence researchers who unearthed it.