Cisco has scrambled to fix a serious vulnerability in its Adaptive Security Appliances and Next-Generation Firewalls products which can be used to remotely take over and reboot the devices.
Unauthenticated remote attackers can exploit a bug in the internet key exchange (IKE) version 1 and 2 protocol code running on Cisco ASA software, and trigger a buffer overflow.
IKE is used to authenticate connections and to set up secure virtual private networks, landing on the firewalls.
Security researchers David Barksdale, Jordan Gruskovnjak and Alex Wheeler said the algorithm for reassembling fragmented IKE payloads "contain a bounds-checking flaw that allows a heap buffer to be overflowed with attacker-controlled data".
The vulnerability can be triggered through malformed user datagram protocol (UDP) packets, sent via IP versions 4 and 6 traffic.
"An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system," Cisco warned.
"An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system."
An attacker would have to send the traffic directly to the vulnerable devices, which affects systems that are configured in routed firewall mode only, and in single or multiple context mode.
ASA software in the following Cisco products are affected by the vulnerability:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 9300 ASA Security Module
- Cisco ISA 3000 Industrial Security Appliance
Cisco has rated the flaw as the most severe and advised users to update any devices as soon as possible.
Users on Cisco ASA major release 7.2, 8.2, 8.3, 8.6 are affected, with the vendor suggesting they migrate to patched releases 9.1(7) or later.