AnsweredAssumed Answered

Cisco ASA CVE-2016-1287 (Q43481) - Detection Method and Confirmed/Potential Vulnerability Reports

Question asked by DMFezzaReed Employee on Feb 16, 2016
Latest reply on Mar 8, 2016 by DMFezzaReed

It would appear Qualys is once again relying on only the detected OS version to report a vulnerability as confirmed, when indeed the vendor, in this case Cisco, has clearly provided a method to confirm the existence of an exploitable risk beyond merely the OS version.  If the CVSS Base/Temporal scan were less than 4.0, I don't know that I would complain, but in this instance the CVSS Base is 10.0 and CVSS Temporal is 8.3.

 

Reference:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

https://isc.sans.edu/forums/diary/Critical+Cisco+ASA+IKEv2v2+Vulnerability+Active+Scanning+Detected/20719

 

SUMMARY: A critical vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. (CVE-2016-1287)

 

The vulnerability can lead to a complete compromise of the system. A single UDP packet may suffice to exploit the vulnerability, but no details about the nature of the vulnerability have been made public yet, but it is recommended to patch SOON. The exploit would likely arrive over UDP port 500 or possibly 4500.

 

DETECTION:
To test if your device is vulnerable, check the running crypto maps:

ciscoasa# show runnning-config crypto map | include interface

A product is vulnerable if a crypto map is returned.

 

WORKAROUND:
There is no workaround, but Cisco has released patched firmware for affected devices.

 

When Q43481 entered the VulnSig file, it was entered as follows:

 

 

The vulnerability entry in KB was updated on 02/12/2016, but the scan results continue to report false positives. 

 

 

rlewkowski fjimenez77

 

Outcomes