Cisco security kit wide-open to IKE bug
Patch your ASA appliances now unless you like the world reading your secrets
Patch it now and don't wait: Cisco has announced that a bunch of its Adaptive Security Appliance (ASA) products are vulnerable to a remote code execution bug.
The problem is in how the ASA products reassemble fragmented Internet Key Exchange (IKE) payloads. Cisco's implementation of the fragmentation protocol has a bounds-checking flaw.
As this post at Exodus Intel (with a hat-tip to @SwiftOnSecurity) explains, the bug "allows a heap buffer to be overflowed with attacker-controlled data," and that's what opens the remote code execution vulnerability.
Cisco lists the ASA 5500, ASA 5500-X, ASA Services Module for Catalyst 6500 switches and 7600 Series routers, the ASA 1000V Cloud Firewall, the Adaptive Security Virtual Appliance, the Firepower 9300 ASA module, and the ISA (industrial security appliance) 3000.
Either IPv4 or IPv6 traffic can be used to trigger the vulnerability.
As Exodus Intelligence explains, the problem in the code is that while the fragment length is 16 bits, Cisco limits its queues to 8 bits.
"The most basic way to attack this code is to create a reassembly queue where one of the fragments has a length less than the default fragment header size of 8 bytes, which underflows the copy length during reassembly," the post states.
That only gets you as far as forcing a reload of the target system, but Exodus Intel outlines how this can be exploited to get attacker code into a "known location in writable memory," giving the attacker control of the device.
Cisco has released a patch for affected software versions. ®