Cisco ASA 5500 Series and Cisco IOS XE – IPSec related DoS vulnerability
Foreword
Today Cisco published its regular semiannual security advisory publication and there is one vulnerability (CVE-2018-0472) that catches the eye. A Cisco ASA and Cisco IOS / XE IPSec related DoS vulnerability that has been marked as HIGH.
Overview
The vulnerability stems from improper handling of IPSec AH (Authentication Header) or ESP (Encapsulating Security Payload) packets. A potential bad player can send specifically crafted IPSec packets that would cause the IPSec device to reload hence causing the Denial of Service attack. No workarounds are available to mitigate this threat. Customers are urge to upgrade their running OS (either ASA OS or IOS XE).
Which products are affected
Cisco IOS XE Software products affected by this vulnerability:
Cisco ASR 1000 Series Aggregation Services Routers:
- ASR 1001-X
- ASR 1001-HX
- ASR 1002-X
- ASR 1002-HX
- Cisco ASR 1000 Series 100-Gbps Embedded Service Processor (ASR1000-ESP100)
- Cisco ASR 1000 Series 200-Gbps Embedded Service Processor (ASR1000-ESP200)
Cisco 4000 Series Integrated Services Routers:
- ISR 4431
- ISR 4451-X
The routers must be running an IPSec related technology.
List of vulnerable technologies on IOS XE
- LAN-to-LAN VPN
- Remote-access VPN, excluding SSL VPN
- Dynamic Multipoint VPN (DMVPN)
- FlexVPN
- Group Encrypted Transport VPN (GET VPN)
- IPsec virtual tunnel interfaces (VTIs)
- Open Shortest Path First Version 3 (OSPFv3) Authentication Support with IPsec
Cisco ASA products affected by this vulnerability:
Cisco ASA 5500-X Series Adaptive Security Appliances:
- ASA 5506-X Series
- ASA 5508-X Series
- ASA 5516-X Series
No other models are affected!
List of vulnerable technologies on ASA XE and FTD
- LAN-to-LAN IPsec VPN
- Remote-access VPN using the IPsec VPN client
- Layer 2 Tunnelling Protocol (L2TP)-over-IPsec VPN connections (not supported on FTD)
How to fix this:
As we mentioned there is not workaround for that vulnerability, an update is needed.
Cisco has released today the necessary upgrades to all vulnerable software
Cisco ASA table with vulnerable OS and which is the update to fix it
Cisco ASA Major Release | First Fixed Release for This Vulnerability |
---|---|
9.3 | Affected; migrate to Release 9.4 |
9.4 | 9.4.4.18 |
9.5 | Affected; migrate to Release 9.6 |
9.6 | 9.6.4.8 |
9.7 | Affected; migrate to Release 9.8 |
9.8 | 9.8.2.26 |
9.9 | 9.9.2.2 |
Cisco FTD table with vulnerable OS and which is the update to fix it
Cisco FTD Software Release | First Fixed Release for This Vulnerability |
---|---|
6.0 | Migrate to 6.1.0 HotFix or later |
6.0.1 | Migrate to 6.1.0 HotFix or later |
6.1.0 | Cisco_FTD_Hotfix_EI-6.1.0.7-2.sh (all FTD hardware platforms except 41xx and 9300) Cisco_FTD_SSP_Hotfix_EI-6.1.0.7-2.sh (41xx and 9300 FTD hardware platforms) |
6.2.0 | Not vulnerable |
6.2.1 | Migrate to 6.2.2.3 |
6.2.2 | 6.2.2.3 |
6.2.3 | 6.2.3.1 6.2.3-851 6.2.3-85.02 |
For Cisco IOS XE Cisco recommend a manual check with their online Cisco IOS Software Checker at: