CVE-2016-1287 workaround

Theodore Anastassiou · ‎02-13-2016

Hi everyone,

Just wondering if I could tackle this vuln using an ACL allowing only IKE1/2 traffic for selected VPN peers.

Would that block any UDP crafted packets from getting through the ASA ipsec engine?

Awaiting your comments,

Theo.

mvsheik123 · ‎02-13-2016

Hi,

Check this link...

http://info.stack8.com/blog/cisco-cve-2016-1287-network-vulnerability-and-mitigation

However, not sure if this works. Upgrade ASA to fixed version is the recommended solution.

hth

MS

Ahmed Ahmedzadeh · ‎02-15-2016

7.2¹	Affected; migrate to 9.1(7) or later
8.2¹	Affected; migrate to 9.1(7) or later
8.3¹	Affected; migrate to 9.1(7) or later
8.4	8.4(7.30)
8.5¹	Not affected
8.6¹	Affected; migrate to 9.1(7) or later
8.7	8.7(1.18)
9.0	9.0(4.38)
9.1	9.1(7)
9.2	9.2(4.5)
9.3	9.3(3.7)
9.4	9.4(2.4)
9.5	9.5(2.2)

Am I right thinking that 8.0 version is not affected?

Dinesh Moudgil · ‎02-13-2016

Hi Theodore,

Using Control plane ACL would reduce the likelihood if you use L2L VPN and if you use remote access VPN then control plane acl wont help. You can use Cisco IPS Signature 7169-0 and Snort ID: 36903 which can detect attempts to exploit this vulnerability though you can upgrade to the below mentioned ASA releases to mitigate this vulnerability:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

James Leinweber · ‎02-19-2016

A control-plane ACL will block a lot of potential future mischief and is an excellent idea in general. Unfortunately for cve-2016-1287, the bug is in the fragment processing, which presumably happens before the ACL kicks in. My best guess is that you can't mitigate this particular bug that way. The only solution is to reload on fixed firmware.

-- Jim Leinweber, WI State Lab of Hygiene