Cisco ASA IKEv1 and IKEv2 Vulnerability
Posted by Garrett Downs
On February 10, 2016, Cisco released CVE 2016-1287/ CWE-119. This security advisory relates to an issue contained within IKEv1 and IKEv2, which is also known as ISAKMP when configuring IPSec VPN tunnels on the ASA firewall.
This is a substantial security threat and MUST be remediated immediately. All versions of 5500 ASA's and all code lines are affected. You are truly ONLY susceptible if you are using IKEv1/2 on your firewall.
To determine if you are vulnerable, logon to your firewall and issue the following command:
show run crypto map | i interface
If anything is returned, you are at risk. Your next action item is to determine what version of code you are on.
The first line returned should be "Cisco Adaptive Security Appliance Software Version X.X.X"
If you are on 8.3 or higher, you simply need to perform an upgrade of your code. If you are on 8.2, you need to convert your configuration to the new format that accounts for the new NAT and ACL rules. This can be cumbersome.
For this vulnderability, if you do not have SmartNet Service, you can contact Cisco TAC and they will provide the code version for free.
Note, if you are on an 5505, you must be running with 512 MB of RAM and with the 5510, you must have 1 GB of RAM and the 5520, you must have 2 GB of RAM to upgrade beyond 8.2. We reccomend that you look at upgrading your physical firewalll. You've heard of FirePower right?
Further, we can assist with the transition and upgrades. Simply let us know by calling us at 844.4.LIVEIT or email at firstname.lastname@example.org.