Cisco ASA 5500 Series and Cisco IOS XE – IPSec related DoS vulnerability

Today Cisco published its regular semiannual security advisory publication and there is one vulnerability (CVE-2018-0472) that catches the eye. A Cisco ASA and Cisco IOS / XE IPSec related DoS vulnerability that has been marked as HIGH.

The vulnerability stems from improper handling of IPSec AH (Authentication Header) or ESP (Encapsulating Security Payload) packets. A potential bad player can send specifically crafted IPSec packets that would cause the IPSec device to reload hence causing the Denial of Service attack. No workarounds are available to mitigate this threat. Customers are urge to upgrade their running OS (either ASA OS or IOS XE).

Cisco IOS XE Software products affected by this vulnerability:

Cisco ASR 1000 Series Aggregation Services Routers:

• ASR 1001-X
• ASR 1001-HX
• ASR 1002-X
• ASR 1002-HX
• Cisco ASR 1000 Series 100-Gbps Embedded Service Processor (ASR1000-ESP100)
• Cisco ASR 1000 Series 200-Gbps Embedded Service Processor (ASR1000-ESP200)

Cisco 4000 Series Integrated Services Routers:

• ISR 4431
• ISR 4451-X

The routers must be running an IPSec related technology.

List of vulnerable technologies on IOS XE

• LAN-to-LAN VPN
• Remote-access VPN, excluding SSL VPN
• Dynamic Multipoint VPN (DMVPN)
• FlexVPN
• Group Encrypted Transport VPN (GET VPN)
• IPsec virtual tunnel interfaces (VTIs)
• Open Shortest Path First Version 3 (OSPFv3) Authentication Support with IPsec

Cisco ASA products affected by this vulnerability:

Cisco ASA 5500-X Series Adaptive Security Appliances:

• ASA 5506-X Series
• ASA 5508-X Series
• ASA 5516-X Series

No other models are affected!

List of vulnerable technologies on ASA XE and FTD

• LAN-to-LAN IPsec VPN
• Remote-access VPN using the IPsec VPN client
• Layer 2 Tunnelling Protocol (L2TP)-over-IPsec VPN connections (not supported on FTD)