Network technologies and trends

Feb 11 2016   8:14PM GMT

Cisco ASA Firewalls can be exploited by sending crafted UDP packets

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Cisco ASA

Yesterday I received an email from Cisco Security Advisories about the critical vulnerability related IKE version 1 and IKE version 2 code of ASA Software which could empower an unauthenticated remote attacker to reload or even execute a code remotely on a affected ASA firewall.


Those who are terminating their VPN tunnels by using either IKEv1 or IKEv2 for any of the following  VPN tunnels

  • LAN-to-LAN IPsec VPN
  • Remote access VPN using the IPsec VPN client
  • Layer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connections
  • IKEv2 AnyConnect

They should immediately check if their ASAs are affected. If so then they should upgrade the ASA, as there is not other fix from Cisco

The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system

Following versions of IOS are affected , one should upgrade immediately  to the recommended IOS version

Cisco ASA Major Release  First Fixed Release 
7.21 Affected; migrate to 9.1(7) or later
8.21 Affected; migrate to 9.1(7) or later
8.31 Affected; migrate to 9.1(7) or later
8.4 8.4(7.30)
8.51 Not affected
8.61 Affected; migrate to 9.1(7) or later
8.7 8.7(1.18)
9.0 9.0(4.38)
9.1 9.1(7)
9.2 9.2(4.5)
9.3 9.3(3.7)
9.4 9.4(2.4)
9.5 9.5(2.2)

Further details can be found at the below url

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: