"The algorithm for re-assembling IKE payloads fragmented with the Cisco fragmentation protocol contains a bounds-checking flaw that allows a heap buffer to be overflowed with attacker-controlled data," Exodus researchers David Barksdale, Jordan Gruskovnjak, and Alex Wheeler explain. "A sequence of payloads with carefully chosen parameters causes a buffer of insufficient size to be allocated in the heap which is then overflowed when fragment payloads are copied into the buffer. Attackers can use this vulnerability to execute arbitrary code on affected devices."Successful exploitation of this vulnerability, which affects Cisco ASA software if the system is configured to terminate IKEv1 or IKEv2 VPN connections, could lead to a full compromise of the affected system.
ciscoasa# show running-config crypto map | include interfaceIf a crypto map is returned, the device is vulnerable. Tripwire will release ASPL-657 on Wednesday, February 17th, which will include Vulnerability ID #224098 to detect this issue within Tripwire IP360. This detection is also available via the Tripwire Customer Center to those interested in scanning early. In the meantime, Cisco has released software updates that address the vulnerability. It is recommended that system administrators implement those fixes sooner rather than later. News of this patch follows a fix for vulnerability in the code that handles the reassembly of fragmented IPv4 and IPv6 packets of Cisco IOS XE Software for its ASR 1000 Series Aggregation Services Routers back in August of 2015.