Cisco ASA firewall has a wormable problem


It has been a rough couple of weeks for security vendors. Juniper with their remote access issue and and then Fortinet with their hardcoded password. Now, Cisco has found itself in the media. Namely Cisco's ASA firewall product line. These are firewalls that can be purchased as an appliance, blades or even virtual. The part of this that is most pressing is that Cisco claims that there are over a million of these deployed.

Today comes word that Cisco has published an advisory for a vulnerability that was discovered by David Barksdale, Jordan Gruskovnjak, and Alex Wheeler of Exodus Intelligence. The part that leapt of the screen was the fact that this has a CVSS (Common Vulnerability Scoring System) score of 10.

As was remarked by a couple of acquaintances, the first quipped “I haven't seen a CVSSv2 score of 10 in a long time” and the other added “We're starting our patching now”. So what is at the root of this issue?

From the Cisco Advisory:

A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.

If I was a betting man, I’d say that this sounds like a problem that could get worse in short order. Think “Dune".

The researchers who discovered this problem also released a blog today to coincide with the advisory being posted.

From Exodus Intel:

The algorithm for re-assembling IKE payloads fragmented with the Cisco fragmentation protocol contains a bounds-checking flaw that allows a heap buffer to be overflowed with attacker-controlled data. A sequence of payloads with carefully chosen parameters causes a buffer of insufficient size to be allocated in the heap which is then overflowed when fragment payloads are copied into the buffer. Attackers can use this vulnerability to execute arbitrary code on affected devices.

So, how did this make it past QA? A question that I'm certain someone will be wanting an answer for.

So, what products are feeling the pressure of this problem? Well, here is a list gleaned from the Cisco Advisory. The Cisco ASA Software running on the following products may be affected by this vulnerability:

Cisco ASA 5500 Series Adaptive Security Appliances
Cisco ASA 5500-X Series Next-Generation Firewalls
Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Cisco ASA 1000V Cloud Firewall
Cisco Adaptive Security Virtual Appliance (ASAv)
Cisco Firepower 9300 ASA Security Module
Cisco ISA 3000 Industrial Security Appliance

If you are working for an organization that fins you responsible for the oversight of ASA firewalls and you've made it this far into the post, stop. You need to start patching as soon as possible as I can well imagine that this will get worse before it gets better. In no time at all we could very well be seeing Shai-Hulud wormsign the likes of which we have not seen before.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)