topic 7.21 in Network Security

CVE-2016-1287 workaround

Theodore Anastassiou — Tue, 12 Mar 2019 07:17:46 GMT

Hi everyone,

Just wondering if I could tackle this vuln using an ACL allowing only IKE1/2 traffic for selected VPN peers.

Would that block any UDP crafted packets from getting through the ASA ipsec engine?

Awaiting your comments,

Theo.

Hi,

mvsheik123 — Sun, 14 Feb 2016 04:22:44 GMT

Hi,

Check this link...

http://info.stack8.com/blog/cisco-cve-2016-1287-network-vulnerability-and-mitigation

However, not sure if this works. Upgrade ASA to fixed version is the recommended solution.

hth

Hi Theodore,

Dinesh Moudgil — Sun, 14 Feb 2016 07:10:37 GMT

Hi Theodore,

Using Control plane ACL would reduce the likelihood if you use L2L VPN and if you use remote access VPN then control plane acl wont help. You can use Cisco IPS Signature 7169-0 and Snort ID: 36903 which can detect attempts to exploit this vulnerability though you can upgrade to the below mentioned ASA releases to mitigate this vulnerability:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

7.21

Ahmed Ahmedzadeh — Tue, 16 Feb 2016 06:22:14 GMT

7.2¹	Affected; migrate to 9.1(7) or later
8.2¹	Affected; migrate to 9.1(7) or later
8.3¹	Affected; migrate to 9.1(7) or later
8.4	8.4(7.30)
8.5¹	Not affected
8.6¹	Affected; migrate to 9.1(7) or later
8.7	8.7(1.18)
9.0	9.0(4.38)
9.1	9.1(7)
9.2	9.2(4.5)
9.3	9.3(3.7)
9.4	9.4(2.4)
9.5	9.5(2.2)

Am I right thinking that 8.0 version is not affected?

A control-plane ACL will

James Leinweber — Fri, 19 Feb 2016 18:08:58 GMT

A control-plane ACL will block a lot of potential future mischief and is an excellent idea in general. Unfortunately for cve-2016-1287, the bug is in the fragment processing, which presumably happens before the ACL kicks in. My best guess is that you can't mitigate this particular bug that way. The only solution is to reload on fixed firmware.

-- Jim Leinweber, WI State Lab of Hygiene