Virtual Private Network users using the Cisco Adaptive Security Appliance as a firewall are becoming aware of a potential vulnerability, which would allow hackers to infiltrate by sending them network packets that are malformed.
This is bad news for people using VPNs as they are specifically designed to provide private networks with security from external attackers. On the Common Vulnerability Scoring system, Cisco Systems has indicated that this type of vulnerability meets the criteria for the highest score (10) on the system.
Cisco Systems said in a public advisory statement that if an attacker wanted to use this vulnerability to their advantage by sending packets crafted to the system affected, they could easily find a way to access arbitrary code in order to take over the system, potentially causing the entire system to reload.
ASA products made by CISCO are often configured to work as VPNs. They are able to provide firewall, IP routing, intrusion prevention, single device VPN functionality, and antivirus firewall protection.
Apparently, the issue within the system is found in the Cisco ASA code, which deals with the protocols for Internet Key Exchange version 1 (IKEv1) and IKE version 2 (IKEv2). In particular, it appears to stem from a condition related to the buffer overflow, which utilizes IKE payloads.
IKE is utilized in IPsec-based VPNs as a mechanism for key exchange. The Cisco ASA devices can be exposed to this vulnerability if they, through configuration, act as points of termination for LAN-to-LAN IPsec VPN, IKEv2 AnyConnect, and Layer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connections remote access VPN using the IPsec VPN client.
Cisco has provided advice on the different products that may have this vulnerability. They have stated that revised Cisco ASA versions of software are now available for release branches, and have advised users of the products to update their systems as soon as they can.
Affected systems are: Cisco ASA 5500-X Series Next-Generation Firewalls, Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA 1000V Cloud Firewall, Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Cisco Adaptive Security Virtual Appliance (ASAv), Cisco ISA 3000 Industrial Security Appliance, and Cisco Firepower 9300 ASA Security Module
Reports from the SANS Technology Institute’s Internet Storm Centre, says there has been a big increase in UDP port 500 probes. This means that this port number most likely to be used for attackers wishing to exploit this specific vulnerability.