Back to List

DSN: Cisco Internet Key Exchange Buffer Overflow

Overview

Cisco released a Security Advisory today (02/10/2016) warning of a major vulnerability in all of its devices with VPN capabilities. The vulnerability lies in the Internet Key Exchange (IKEv1 & IKEv2) component, which is used to exchange encryption keys for VPN tunnels. Cisco has released updated firmware versions for its devices that will remediate this vulnerability, and all vulnerable devices should be updated as soon as possible.

CVE Number

CVE-2016-1287

Affected Products

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco ISA 3000 Industrial Security Appliance

Affected Versions

Cisco ASA Major Release First Fixed Release
7.2 Affected; migrate to 9.1(7) or later
8.2 Affected; migrate to 9.1(7) or later
8.3 Affected; migrate to 9.1(7) or later
8.4 8.4(7.30)
8.5 Not affected but out of support
8.6 Affected; migrate to 9.1(7) or later
8.7 8.7(1.18)
9.0 9.0(4.38)
9.1 9.1(7)
9.2 9.2(4.5)
9.3 9.3(3.7)
9.4 9.4(2.4)
9.5 9.5(2.2)


Mitigation

  • Check all Cisco devices in your environment to see if they are affected by this vulnerability
  • Upgrade firmware to the Cisco-recommended version on all affected devices

Additional Information

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike


Back to List
Contact Us