cbcvebase.
CVE-2016-1287
published 2016-02-11

CVE-2016-1287: Buffer overflow in the IKEv1 and IKEv2 implementations in Cisco ASA Software before 8.4(7.30), 8.7 before 8.7(1.18), 9.0 before 9.0(4.38), 9.1 before 9.1(7)…

PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
77.46%
99.5th percentile
Buffer overflow in the IKEv1 and IKEv2 implementations in Cisco ASA Software before 8.4(7.30), 8.7 before 8.7(1.18), 9.0 before 9.0(4.38), 9.1 before 9.1(7), 9.2 before 9.2(4.5), 9.3 before 9.3(3.7), 9.4 before 9.4(2.4), and 9.5 before 9.5(2.2) on ASA 5500 devices, ASA 5500-X devices, ASA Services Module for Cisco Catalyst 6500 and Cisco 7600 devices, ASA 1000V devices, Adaptive Security Virtual Appliance (aka ASAv), Firepower 9300 ASA Security Module, and ISA 3000 devices allows remote attackers to execute arbitrary code or cause a denial of service (device reload) via crafted UDP packets, aka Bug IDs CSCux29978 and CSCux42019.

Affected

200 ranges· showing 25
VendorProductVersion rangeFixed in
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software
ciscoadaptive_security_appliance_software

Detection & IOCsextracted from sources · hover to see the quote

portUDP/500
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound"; flow:to_server; content:"|84 00 00|"; byte_test:1,<,9,0,relative; byte_jump:1,0,relative,post_offset -4; content:"|00 00 00|"; within:3; byte_test:1,<,8,0,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022506; rev:3; metadata:created_at 2016_02_12, cve CVE_2016_1287, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
bytes
|84 00 00|
  • Monitor for a large increase in UDP port 500 scanning activity, which may indicate reconnaissance for vulnerable IKEv1/IKEv2 VPN endpoints.
  • Scan your perimeter for devices listening on UDP port 500 to identify potentially vulnerable Cisco ASA IKEv1/IKEv2 endpoints.
  • The exploit uses crafted Cisco-proprietary IKEv2 fragmentation packets (payload ID 0x84 / payload type 132) with invalid fragment sizes; detect malformed fragment headers on UDP/500.
  • The exploit targets IKEv2 fragmentation reassembly functions; look for anomalous IKEv2 fragment reassembly traffic (ikev2_add_rcv_frag / ikev2_get_assembled_pkt) on UDP/500.
  • The vulnerability can be triggered by both IPv4 and IPv6 traffic directed to the device; ensure monitoring covers both protocol families on UDP/500.
  • Track Cisco Bug IDs CSCux29978 and CSCux42019 for patch status across affected ASA software versions.
  • ·Only Cisco ASA devices configured in routed firewall mode (single or multiple context) are vulnerable; transparent mode is not affected.
  • ·Only traffic directed to the affected system (i.e., the IKE service itself) can be used to exploit this vulnerability; transit traffic is not an attack vector.
  • ·Beyond ASA devices, additional Cisco IOS/IOS XE routers with IKEv2 (and possibly IKEv1) fragmentation enabled may also be vulnerable (tracked as CSCux38417), even though the original Cisco advisory did not mention non-security devices.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.