Angela Stranahan

Detecting Cisco ASA IKE Buffer Overflow Vulnerability Using Security Analytics

Blog Post created by Angela Stranahan Employee on Feb 29, 2016

Summary

A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

 

This is registered as CVE-2016-1287.  See the Cisco Security Advisory for additional information
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

 

Live Content

There are two pieces of content in Live, which identify events within SA that potentially warrant further investigation.

  1. LUA Parser (packets):  ISAKMP
  2. Application Rule (logs):  Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow

 

ISAKMP LUA Parser

For packet-based customers, this LUA parser identifies ISAKMP.    For IKE type 132 (fragment) payloads, an alert is registered if the length field is less than 8, which indicates an attempt to exploit Cisco ASA Buffer Overflow CVE-2016-1287.  ISAKMP sessions on ports other than UDP 500 or 4500 will not be parsed.

 

Parser Details:

DEPENDENCIES

     Parsers

          * FeedParser

          * NETWORK

     Feeds

          * alertids_warning

CONFLICTS

     None

KEYS

     * alert.id - mapped to risk meta

     * service - '500'

RISK VALUES

     warning

          * isakmp buffer overflow

 

Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Application Rule

Customers who deploy either Cisco IPS or SourceFire Defense Center may benefit from this log-based Application Rule written to detect indicators to CVE-2016-1287: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow.

 

SourceFire signature IDs utilized to detect this vulnerability are '1:36903' and '1:37674' while Cisco IPS signature IDs are 7169-0 and 7169-1.

 

Rule Logic:

Rule Name: nw125025

Condition:  device.type='snort','ciscoidsxml' && policy.name='"SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt"', '"SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt"', 'Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow'

Alert On:  alert.id

 

cve)app.png

 

Rule Details:

RISK VALUES

          risk.warning - Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow

 

DEPENDENCIES

    FeedParser

     feed:alertids_warning

 

 

Customer  Content

Since a result of the vulnerability is a large increase in ISAKMP sessions utilizing UDP port 500 or 4500, a Correlation Rule or ESA rule could be created to detect traffic over a threshold typical within the customer environment.

 

The rule should be tailored to the customer environment:

  1. Condition ‘device.type='ciscoasa' && ip.dstport=500’ is added to detect logs with Cisco ASA enabled.  Remove if not needed or update to allow for ip.dstport 4500 if applies to environment
  2. Default threshold is a single ip.src generating traffic to greater than 200 unique ip.dst.   Customize the threshold for the customer environment

 

Sample Basic Correlation Rule

 

Rule Name:  Cisco ASA Buffer Overflow Vulnerability

Condition:  medium=32 && device.type='ciscoasa' && ip.dstport=500

Threshold:  u_count(ip.dst)>200

Instance Key:  ip.src

Time Window:  5 minutes

 

bec.png

 

Sample ESA Rule

Create an Advanced ESA rule and copy and paste the following.  Be sure to customize for the environment as described above.

 

The @Hint to reclaim groups should match in seconds the total time set for the window.

 

@Hint('reclaim_group_aged=300')

@RSAAlert

SELECT * FROM

Event(

medium=32 AND device_type='ciscoasa' AND ip_dstport=500

).std:groupwin(ip_src).win:time_length_batch(5 minutes, 200).std:unique(ip_dst)

GROUP BY ip_src

HAVING COUNT(*) = 200;

Outcomes