Critical Cisco VPN Flaw
Last updated on: September 6, 2020
Cisco published this week an advisory for the critical vulnerability CVE-2016-1287 in its ASA line of firewalls that have IKEv1/2 VPNs configured. An exploit for the vulnerability would allow an unauthenticated, remote attacker to execute code on the device. A technical breakdown of the vulnerability can be found in the blog post at Exodus Intelligence who reported the vulnerability to Cisco. Exodus Intelligence is a 0-day research company, so this showcases some of their capabilities, while at the same time raises the question as to why they would publish the vulnerability rather than add it to their portfolio.
The SANS Internet Storm Center has reported a large increase in the number of scans for port 500 as of February 10 when the advisory was published. This is most likely mapping activity for configured VPN endpoints from malicious actors and security researchers alike.
You should patch as quickly as possible where you are affected. A quick scan on your perimeter for port 500 will give you a first overview on where to look. An authenticated Qualys scan will report QID 43481 “Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability (cisco-sa-20160210-asa-ike)” and can be used to continuously map the state of your firewalls.
Sourcefire’s Snort (a Cisco company) has had a detection in rule 36903 for the attack as of November 2015.