A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.
This is registered as CVE-2016-1287. See the Cisco Security Advisory for additional information
There are two pieces of content in Live, which identify events within SA that potentially warrant further investigation.
- LUA Parser (packets): ISAKMP
- Application Rule (logs): Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow
ISAKMP LUA Parser
For packet-based customers, this LUA parser identifies ISAKMP. For IKE type 132 (fragment) payloads, an alert is registered if the length field is less than 8, which indicates an attempt to exploit Cisco ASA Buffer Overflow CVE-2016-1287. ISAKMP sessions on ports other than UDP 500 or 4500 will not be parsed.
* alert.id - mapped to risk meta
* service - '500'
* isakmp buffer overflow
Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Application Rule
Customers who deploy either Cisco IPS or SourceFire Defense Center may benefit from this log-based Application Rule written to detect indicators to CVE-2016-1287: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow.
SourceFire signature IDs utilized to detect this vulnerability are '1:36903' and '1:37674' while Cisco IPS signature IDs are 7169-0 and 7169-1.
Rule Name: nw125025
Condition: device.type='snort','ciscoidsxml' && policy.name='"SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt"', '"SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt"', 'Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow'
Alert On: alert.id
risk.warning - Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow
Since a result of the vulnerability is a large increase in ISAKMP sessions utilizing UDP port 500 or 4500, a Correlation Rule or ESA rule could be created to detect traffic over a threshold typical within the customer environment.
The rule should be tailored to the customer environment:
- Condition ‘device.type='ciscoasa' && ip.dstport=500’ is added to detect logs with Cisco ASA enabled. Remove if not needed or update to allow for ip.dstport 4500 if applies to environment
- Default threshold is a single ip.src generating traffic to greater than 200 unique ip.dst. Customize the threshold for the customer environment
Sample Basic Correlation Rule
Rule Name: Cisco ASA Buffer Overflow Vulnerability
Condition: medium=32 && device.type='ciscoasa' && ip.dstport=500
Instance Key: ip.src
Time Window: 5 minutes
Sample ESA Rule
Create an Advanced ESA rule and copy and paste the following. Be sure to customize for the environment as described above.
The @Hint to reclaim groups should match in seconds the total time set for the window.
SELECT * FROM
medium=32 AND device_type='ciscoasa' AND ip_dstport=500
).std:groupwin(ip_src).win:time_length_batch(5 minutes, 200).std:unique(ip_dst)
GROUP BY ip_src
HAVING COUNT(*) = 200;