A buffer overflow vulnerability has been discovered in Cisco ASA Adaptive Security Appliances. Successful exploitation could allow an unauthenticated user to take control of the affected system and perform unauthorized actions.
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 9300 ASA Security Module
- Cisco ISA 3000 Industrial Security Appliance
Cisco ASA Software IKEv1 and IKEv2 are prone to a buffer overflow vulnerability that could allow for an unauthenticated user to cause a reload of the affected system or to remotely execute code. The algorithm for re-assembling Internet Key Exchange (IKE) payloads fragmented with the Cisco fragmentation protocol contains a bounds-checking flaw that allows a heap buffer to be overflowed with specially crafted UDP packets.
- Install updates provided by Cisco immediately after appropriate testing.
- Verify no unauthorized system modifications have occurred on system before applying patch.
- Monitor intrusion detection systems for any signs of anomalous activity.
- Unless required, limit external network access to affected products.