A critical vulnerability in the Internet Key Exchange (IKE) code used in Cisco Adaptive Security Appliances (ASA) that could allow an attacker to remotely execute code was discovered earlier this year. There are no workarounds to this vulnerability, but Cisco has released a patch. Here are a few points to consider when applying this important patch.

About the Cisco ASA Vulnerability

The Cisco ASA IKE buffer overflow is a critical vulnerability that requires a proactive response. Since this vulnerability affects network perimeter defense mechanisms and could allow an intruder to execute arbitrary code and obtain full control of an affected system, I urge professionals to take a close look at possible Cisco ASA remediation actions.

In general, most people think of installing the vendor’s patch as a first resort. While this is advisable, it may not always be feasible. Sometimes the patch is not yet available; in some cases, it can take a vendor days or weeks to issue a patch. Even when the patch is available, some systems might not be able to accommodate it due to limited resources (e.g., memory, processing or HDD space) or other constraints. For example, Cisco ASA appliances may require memory upgrades before installing the patch.

In instances where a patch is not available or cannot be installed, there are other approaches to remediation — such as secondary control patching or configuration setting modification — that organizations may consider.

Let’s take a look at the most common mitigation approaches, starting with the vendor patch.

Installing the Vendor Patch

When possible, a vendor’s patch should be installed on the affected systems to mitigate the vulnerability. But this requires some due diligence before applying the patch; carefully review the requirements and prerequisites for successful patching below.

  • Patch Analysis: Have you reviewed the requirements and prerequisites for the patch? (For example, does the device have enough memory to support the patch?)
  • Change Management: Do you have a change record? It is useful to review the recent configuration settings on the firewall before installing patches.
  • Patch Testing: Have you tested the patch before deploying it to production servers? In a testing environment, perform the following activities:
    • Use a vulnerability scanner or Nessus Scanner (Plugin ID: 88713) to identify whether the system is vulnerable.
    • Validate that patches were installed properly by reviewing patch logs.
    • Use a testing kit such as Core Impact to confirm whether the patch effectively mitigated the vulnerability.
  • Disaster Recovery and Business Continuity: What if the device fails during the patch installation? Is there a firewall backup in case a rollback is required? Are the ASAs deployed in a high-availability design to keep the network and business running during the patching?

Deployment Time Frame

If you are patching many ASA firewalls, it might take some time. If you are unable to patch all your firewalls at once, or if a vendor patch is not yet available, consider one of the below options to help protect your network while the process is completed.

Even before a vendor’s patch is available, many intrusion prevention system (IPS) vendors update their IPS signatures to detect and block zero-day exploits and particular vulnerabilities. This mechanism has been used in IBM for more than a decade and is known as virtual patch technology.

Virtual patching can provide an additional layer of protection in front of affected Cisco ASA firewalls and help ensure exploits targeting firewalls are detected and blocked before impact. Many vendors released IPS definitions for the ASA IKE vulnerability:

  • IBM X-Force has published XPU 36.021 for the Cisco ASA Software IKEv1 and IKEv2 buffer overflow vulnerability. The signature is: ISAKMP_CiscoASA_Fragmentation_Overflow.
  • Cisco has an IPS signature 7169-0 and Snort ID: 36903 for this vulnerability.

Configuration Settings Modifications

When a vendor’s patch is not available, configuration changes can be useful and effective — if used properly. For example, disabling the affected service (e.g., IKE),will result in losing the virtual private network (VPN) capability from this firewall. But in return, you have reduced the likelihood of someone exploiting the vulnerability.

Disabling IKEv1 and IKEv2 will limit the exposure until the patch is deployed. Disable them using the following commands:

  • no crypto ikev1 enable; and
  • no crypto ikev2 enable.

If the VPN service is mandatory, you could add an access control list on the Internet-facing interfaces to block UDP 4500/500 from all except selected trusted ASA peers. This will ensure that incoming IKE transactions are only accepted from trusted sources.

Conclusion

Zero-day vulnerabilities will keep coming. Security professionals and firewall managers should have a proactive strategy to minimize exposure. It is an ongoing battle, but the more options you have for your defense strategy, the greater the likelihood of surviving until the next attack.

More from Mainframe

How dangerous is the cyberattack risk to transportation?

4 min read - If an attacker breaches a transit agency’s systems, the impact could reach far beyond server downtime or leaked emails. Imagine an attack against a transportation authority that manages train and subway routes. The results could be terrible. Between June of 2020 and June of 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. In one event, attackers breached the New York Metropolitan Transportation Authority (MTA) systems. Thankfully, no one was harmed, but incidents like these are cause…

Low-code is easy, but is it secure?

4 min read - Low-code and no-code solutions are awesome. Why? With limited or no programming experience, you can quickly create software using a visual dashboard. This amounts to huge time and money savings. But with all this software out there, security experts worry about the risks. The global low-code platform market revenue was valued at nearly $13 billion in 2020. The market is forecast to reach over $47 billion in 2025 and $65 billion in 2027 with a CAGR of 26.1%. Very few,…

Starting From Scratch: How to Build a Small Business Cybersecurity Program

4 min read - When you run a small business, outsourcing for services like IT and security makes a lot of sense. While you might not have the budget for a full-time professional on staff to do these jobs, you still need the services.However, while it might be helpful to have a managed service provider handle your software and computing issues, cybersecurity for small and medium businesses (SMBs) also requires a personal, hands-on approach. While you can continue to outsource some areas of cybersecurity,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today