Cisco ASA IKEv1 and IKEv2 Vulnerability

Posted by Garrett Downs

On February 10, 2016, Cisco released CVE 2016-1287/ CWE-119.  This security advisory relates to an issue contained within IKEv1 and IKEv2, which is also known as ISAKMP when configuring IPSec VPN tunnels on the ASA firewall.

This is a substantial security threat and MUST be remediated immediately.  All versions of 5500 ASA's and all code lines are affected.  You are truly ONLY susceptible if you are using IKEv1/2 on your firewall.

To determine if you are vulnerable, logon to your firewall and issue the following command:

show run crypto map | i interface

If anything is returned, you are at risk.  Your next action item is to determine what version of code you are on.

show version

The first line returned should be "Cisco Adaptive Security Appliance Software Version  X.X.X"

If you are on 8.3 or higher, you simply need to perform an upgrade of your code.  If you are on 8.2, you need to convert your configuration to the new format that accounts for the new NAT and ACL rules.  This can be cumbersome.  

For this vulnderability, if you do not have SmartNet Service, you can contact Cisco TAC and they will provide the code version for free.

Note, if you are on an 5505, you must be running with 512 MB of RAM and with the 5510, you must have 1 GB of RAM and the 5520, you must have 2 GB of RAM to upgrade beyond 8.2.  We reccomend that you look at upgrading your physical firewalll.  You've heard of FirePower right?  

Further, we can assist with the transition and upgrades.  Simply let us know by calling us at 844.4.LIVEIT or email at

Additional information:

Affected Products
Affected Cisco ASA Software running on the following products may be affected by this vulnerability:
Cisco ASA 5500 Series Adaptive Security Appliances
Cisco ASA 5500-X Series Next-Generation Firewalls
Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Cisco ASA 1000V Cloud Firewall
Cisco Adaptive Security Virtual Appliance (ASAv)
Cisco Firepower 9300 ASA Security Module
Cisco ISA 3000 Industrial Security Appliance

Be the first to leave a comment...