Nyatya Wiper Malware

Cisco ASA 5500 Series and Cisco IOS XE – IPSec related DoS vulnerability

Nyatya Wiper Malware

Foreword

Today Cisco published its regular semiannual security advisory publication and there is one vulnerability (CVE-2018-0472) that catches the eye. A Cisco ASA and Cisco IOS / XE IPSec related DoS vulnerability that has been marked as HIGH.

Overview

The vulnerability stems from improper handling of IPSec AH (Authentication Header) or ESP (Encapsulating Security Payload) packets. A potential bad player can send specifically crafted IPSec packets that would cause the IPSec device to reload hence causing the Denial of Service attack. No workarounds are available to mitigate this threat. Customers are urge to upgrade their running OS (either ASA OS or IOS XE).

Which products are affected

Cisco IOS XE Software products affected by this vulnerability:

Cisco ASR 1000 Series Aggregation Services Routers:

  • ASR 1001-X
  • ASR 1001-HX
  • ASR 1002-X
  • ASR 1002-HX
  • Cisco ASR 1000 Series 100-Gbps Embedded Service Processor (ASR1000-ESP100)
  • Cisco ASR 1000 Series 200-Gbps Embedded Service Processor (ASR1000-ESP200)

Cisco 4000 Series Integrated Services Routers:

  • ISR 4431
  • ISR 4451-X

The routers must be running an IPSec related technology.

List of vulnerable technologies on IOS XE

  • LAN-to-LAN VPN
  • Remote-access VPN, excluding SSL VPN
  • Dynamic Multipoint VPN (DMVPN)
  • FlexVPN
  • Group Encrypted Transport VPN (GET VPN)
  • IPsec virtual tunnel interfaces (VTIs)
  • Open Shortest Path First Version 3 (OSPFv3) Authentication Support with IPsec

Cisco ASA products affected by this vulnerability:

Cisco ASA 5500-X Series Adaptive Security Appliances:

  • ASA 5506-X Series
  • ASA 5508-X Series
  • ASA 5516-X Series

No other models are affected!

List of vulnerable technologies on ASA XE and FTD

  • LAN-to-LAN IPsec VPN
  • Remote-access VPN using the IPsec VPN client
  • Layer 2 Tunnelling Protocol (L2TP)-over-IPsec VPN connections (not supported on FTD)

How to fix this:


As we mentioned there is not workaround for that vulnerability, an update is needed.

Cisco has released today the necessary upgrades to all vulnerable software


Cisco ASA table with vulnerable OS and which is the update to fix it

Cisco ASA Major Release First Fixed Release for This Vulnerability
9.3Affected; migrate to Release 9.4
9.49.4.4.18
9.5Affected; migrate to Release 9.6
9.69.6.4.8
9.7Affected; migrate to Release 9.8
9.89.8.2.26
9.99.9.2.2

Cisco FTD table with vulnerable OS and which is the update to fix it

Cisco FTD Software ReleaseFirst Fixed Release for This Vulnerability
6.0Migrate to 6.1.0 HotFix or later
6.0.1Migrate to 6.1.0 HotFix or later
6.1.0Cisco_FTD_Hotfix_EI-6.1.0.7-2.sh (all FTD hardware platforms except 41xx and 9300)
Cisco_FTD_SSP_Hotfix_EI-6.1.0.7-2.sh (41xx and 9300 FTD hardware platforms)
6.2.0Not vulnerable
6.2.1Migrate to 6.2.2.3
6.2.26.2.2.3
6.2.36.2.3.1
6.2.3-851
6.2.3-85.02

For Cisco IOS XE Cisco recommend a manual check with their online Cisco IOS Software Checker at:

https://tools.cisco.com/security/center/softwarechecker.x