CVE-2016-1287
published 2016-02-11CVE-2016-1287: Buffer overflow in the IKEv1 and IKEv2 implementations in Cisco ASA Software before 8.4(7.30), 8.7 before 8.7(1.18), 9.0 before 9.0(4.38), 9.1 before 9.1(7)…
PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
77.46%
99.5th percentile
Buffer overflow in the IKEv1 and IKEv2 implementations in Cisco ASA Software before 8.4(7.30), 8.7 before 8.7(1.18), 9.0 before 9.0(4.38), 9.1 before 9.1(7), 9.2 before 9.2(4.5), 9.3 before 9.3(3.7), 9.4 before 9.4(2.4), and 9.5 before 9.5(2.2) on ASA 5500 devices, ASA 5500-X devices, ASA Services Module for Cisco Catalyst 6500 and Cisco 7600 devices, ASA 1000V devices, Adaptive Security Virtual Appliance (aka ASAv), Firepower 9300 ASA Security Module, and ISA 3000 devices allows remote attackers to execute arbitrary code or cause a denial of service (device reload) via crafted UDP packets, aka Bug IDs CSCux29978 and CSCux42019.
Affected
200 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
| cisco | adaptive_security_appliance_software | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound"; flow:to_server; content:"|84 00 00|"; byte_test:1,<,9,0,relative; byte_jump:1,0,relative,post_offset -4; content:"|00 00 00|"; within:3; byte_test:1,<,8,0,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022506; rev:3; metadata:created_at 2016_02_12, cve CVE_2016_1287, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
bytes
|84 00 00|
- →Monitor for a large increase in UDP port 500 scanning activity, which may indicate reconnaissance for vulnerable IKEv1/IKEv2 VPN endpoints. ↗
- →Scan your perimeter for devices listening on UDP port 500 to identify potentially vulnerable Cisco ASA IKEv1/IKEv2 endpoints. ↗
- →The exploit uses crafted Cisco-proprietary IKEv2 fragmentation packets (payload ID 0x84 / payload type 132) with invalid fragment sizes; detect malformed fragment headers on UDP/500. ↗
- →The exploit targets IKEv2 fragmentation reassembly functions; look for anomalous IKEv2 fragment reassembly traffic (ikev2_add_rcv_frag / ikev2_get_assembled_pkt) on UDP/500. ↗
- →The vulnerability can be triggered by both IPv4 and IPv6 traffic directed to the device; ensure monitoring covers both protocol families on UDP/500. ↗
- →Track Cisco Bug IDs CSCux29978 and CSCux42019 for patch status across affected ASA software versions. ↗
- ·Only Cisco ASA devices configured in routed firewall mode (single or multiple context) are vulnerable; transparent mode is not affected. ↗
- ·Only traffic directed to the affected system (i.e., the IKE service itself) can be used to exploit this vulnerability; transit traffic is not an attack vector. ↗
- ·Beyond ASA devices, additional Cisco IOS/IOS XE routers with IKEv2 (and possibly IKEv1) fragmentation enabled may also be vulnerable (tracked as CSCux38417), even though the original Cisco advisory did not mention non-security devices. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
vendor_cisco·2016-02-11·CVSS 10.0
CVE-2016-1287 [CRITICAL] CWE-119 Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
A vulnerability in the Internet Key Exchange (IKE) version 1 (v1)
and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated,
remote attacker to cause a reload of the affected system or to remotely
execute code.
The vulnerability is due to a buffer overflow in
the affected code area. An attacker could exploit this vulnerability by
sending crafted UDP packets to the affected system. An exploit
could allow the attacker to execute arbitrary code and obtain full
control of the system or to cause a reload of the affected system.
Note: Only traffic directed to the affected system can
be used to exploit this vulnerability. This vulnerability affects
systems configured in routed firewall mode only and in sing
Cisco
Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
vendor_cisco
CVE-2016-1287 Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
CVE-2016-1287: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only
GHSA
GHSA-8657-w7wc-ccqj: Buffer overflow in the IKEv1 and IKEv2 implementations in Cisco ASA Software before 8
ghsa_unreviewed·2022-05-17
CVE-2016-1287 [CRITICAL] CWE-119 GHSA-8657-w7wc-ccqj: Buffer overflow in the IKEv1 and IKEv2 implementations in Cisco ASA Software before 8
Buffer overflow in the IKEv1 and IKEv2 implementations in Cisco ASA Software before 8.4(7.30), 8.7 before 8.7(1.18), 9.0 before 9.0(4.38), 9.1 before 9.1(7), 9.2 before 9.2(4.5), 9.3 before 9.3(3.7), 9.4 before 9.4(2.4), and 9.5 before 9.5(2.2) on ASA 5500 devices, ASA 5500-X devices, ASA Services Module for Cisco Catalyst 6500 and Cisco 7600 devices, ASA 1000V devices, Adaptive Security Virtual Appliance (aka ASAv), Firepower 9300 ASA Security Module, and ISA 3000 devices allows remote attackers to execute arbitrary code or cause a denial of service (device reload) via crafted UDP packets, aka Bug IDs CSCux29978 and CSCux42019.
Suricata
ET ATTACK_RESPONSE Possible CVE-2016-1287 Inbound Reverse CLI Shellcode
suricata·2016-05-18·CVSS 9.8
CVE-2016-1287 [CRITICAL] ET ATTACK_RESPONSE Possible CVE-2016-1287 Inbound Reverse CLI Shellcode
ET ATTACK_RESPONSE Possible CVE-2016-1287 Inbound Reverse CLI Shellcode
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET ATTACK_RESPONSE Possible CVE-2016-1287 Inbound Reverse CLI Shellcode"; flow:to_server; content:"|ff ff ff|tcp/CONNECT/3/"; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}\/\d+\x00$/Ri"; reference:url,raw.githubusercontent.com/exodusintel/disclosures/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022819; rev:1; metadata:created_at 2016_05_18, cve CVE_2016_1287, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
Suricata
ET EXPLOIT CVE-2016-1287 Public Exploit ShellCode
suricata·2016-05-18·CVSS 9.8
CVE-2016-1287 [CRITICAL] ET EXPLOIT CVE-2016-1287 Public Exploit ShellCode
ET EXPLOIT CVE-2016-1287 Public Exploit ShellCode
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT CVE-2016-1287 Public Exploit ShellCode"; content:"|60 c7 02 90 67 b9 09 8b 45 f8 8b 40 5c 8b 40 04 8b 40 08 8b 40 04 8b 00 85 c0 74 3b 50 8b 40 08 8b 40 04 8d 98 d8 00 00 00 58 81 3b d0 d4 00 e1 75 e4 83 7b 04 31 74 de 89 d8 2d 00 01 00 00 c7 40 04 03 01 00 00 c7 40 0c d0 00 00 00 c7 80 f8|"; reference:url,github.com/exodusintel/disclosures/blob/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022820; rev:1; metadata:created_at 2016_05_18, cve CVE_2016_1287, confidence High, signature_severity Major, updated_at 2019_07_26;)
Suricata
ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound
suricata·2016-02-12·CVSS 9.8
CVE-2016-1287 [CRITICAL] ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound
ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound"; flow:to_server; content:"|84 00 00|"; byte_test:1,<,9,0,relative; byte_jump:1,0,relative,post_offset -4; content:"|00 00 00|"; within:3; byte_test:1,<,8,0,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022506; rev:3; metadata:created_at 2016_02_12, cve CVE_2016_1287, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 3
suricata·2016-02-12·CVSS 9.8
CVE-2016-1287 [CRITICAL] ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 3
ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 3
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 3"; flow:to_server; content:"|84 10|"; depth:2; offset:16; byte_test:2,<,9,12,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022516; rev:2; metadata:created_at 2016_02_12, cve CVE_2016_1287, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
Suricata
ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 2
suricata·2016-02-12·CVSS 9.8
CVE-2016-1287 [CRITICAL] ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 2
ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 2
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 2"; flow:to_server; content:"|84 20|"; depth:2; offset:16; byte_test:2,<,9,12,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022515; rev:2; metadata:created_at 2016_02_12, cve CVE_2016_1287, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
Tenable
[R1] Cisco Multiple Routers Fragmented IKEv2 Packet Handling Remote Integer Overflow
blogs_tenable·2016-04-05
[R1] Cisco Multiple Routers Fragmented IKEv2 Packet Handling Remote Integer Overflow
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Critical Cisco VPN Flaw | Qualys
blogs_qualys·2016-02-12·CVSS 9.8
CVE-2016-1287 [CRITICAL] Critical Cisco VPN Flaw | Qualys
Cisco published this week an advisory for the critical vulnerability CVE-2016-1287 in its ASA line of firewalls that have IKEv1/2 VPNs configured. An exploit for the vulnerability would allow an unauthenticated, remote attacker to execute code on the device. A technical breakdown of the vulnerability can be found in the blog post at Exodus Intelligence who reported the vulnerability to Cisco. Exodus Intelligence is a 0-day research company, so this showcases some of their capabilities, while at the same time raises the question as to why they would publish the vulnerability rather than add it to their portfolio.
The SANS Internet Storm Center has reported a large increase in the number of scans for port 500 as of February 10 when the advisory was published. This is most likely mapping act
Qualys
Critical Cisco VPN Flaw | Qualys
blogs_qualys·2016-02-12·CVSS 9.8
CVE-2016-1287 [CRITICAL] Critical Cisco VPN Flaw | Qualys
Cisco published this week an advisory for the critical vulnerability CVE-2016-1287 in its ASA line of firewalls that have IKEv1/2 VPNs configured. An exploit for the vulnerability would allow an unauthenticated, remote attacker to execute code on the device. A technical breakdown of the vulnerability can be found in the blog post at Exodus Intelligence who reported the vulnerability to Cisco. Exodus Intelligence is a 0-day research company, so this showcases some of their capabilities, while at the same time raises the question as to why they would publish the vulnerability rather than add it to their portfolio.
The SANS Internet Storm Center has reported a large increase in the number of scans for port 500 as of February 10 when the advisory was published. This is most likely mapping act
http://packetstormsecurity.com/files/137100/Cisco-ASA-Software-IKEv1-IKEv2-Buffer-Overflow.htmlhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ikehttp://www.securitytracker.com/id/1034997https://blog.exodusintel.com/2016/02/10/firewall-hacking/https://www.exploit-db.com/exploits/39823/https://www.kb.cert.org/vuls/id/327976http://packetstormsecurity.com/files/137100/Cisco-ASA-Software-IKEv1-IKEv2-Buffer-Overflow.htmlhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ikehttp://www.securitytracker.com/id/1034997https://blog.exodusintel.com/2016/02/10/firewall-hacking/https://www.exploit-db.com/exploits/39823/https://www.kb.cert.org/vuls/id/327976
2016-02-11
Published