Critical Cisco ASA software vulnerability

A critical DoS/RcE vulnerability, without any workarounds, has been found in Cisco ASA software. Patching is the sole solution. Please take the time to check whether or not you are running a vulnerable version and patch ASAP.

Description:

Cisco published information about a critical vulnerability in their ASA software running on the below mentioned devices. Cisco ASA (Adaptive Security Appliance) is an IP router that provides access control to private infrastructure. It provides different security features. The vulnerability is linked the VPN connection termination feature.
CVE-number: CVE-2016-1287
CVSS score : 10

Affected products:

Cisco ASA 5500 Series Adaptive Security Appliances
Cisco ASA 5500-X Series Next-Generation Firewalls
Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Cisco ASA 1000V Cloud Firewall
Cisco Adaptive Security Virtual Appliance (ASAv)
Cisco Firepower 9300 ASA Security Module
Cisco ISA 3000 Industrial Security Appliance

Impact:
A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. (Cisco)

The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. (Cisco)

Verification

To check if you are impacted you can run the following command (provided by CISCO):
show running-config crypto map | include interface
If you get some results, it could indicate that you are using the vulnerable features.

Remediations

The only way to fix the problem is to update the firmware with the patch provided by Cisco on their website. You can find the instructions on the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci... .

It is recommended to update soon, since scans, looking for this vulnerability, have already been detected.

More details can be found at:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...
https://isc.sans.edu/forums/diary/Critical+Cisco+ASA+IKEv1v2+Vulnerabili...
https://blog.exodusintel.com/2016/02/10/firewall-hacking/