nanog mailing list archives

Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

From: Adrian M <adrian.minta () gmail com>
Date: Mon, 15 Feb 2016 14:16:13 +0200

In previous release 9.1(6) this line was ok:
nat (inside,outside) source static obj-1.0.0.36_32 obj-1.0.0.36_32
destination static obj-1.0.0.36_32 obj-1.0.0.36_32

In 9.1.(7) wasn't working anymore, so the solution was to add *no-proxy-arp
*at the end:
nat (inside,outside) source static obj-1.0.0.36_32 obj-1.0.0.36_32
destination static obj-1.0.0.36_32 obj-1.0.0.36_32 *no-proxy-arp*

On Mon, Feb 15, 2016 at 1:48 PM, Roberto <roberto () ipnetworks it> wrote:

Hello,



excuse me for this direct email: but about the
https://www.reddit.com/r/networking/comments/433kqx/cisco_asa_not_recording_an_arp_entry/



"

upgraded from 9.0(5) to 9.1(7)

"



Solved !

"Disable Proxy ARP" must be checked on NAT bypass rules (former nat 0).







are you indicating for example

that previously on 9.0(5) was:

nat (inside,outside) source static obj-1.0.0.36_32 obj-1.0.0.36_32
destination static obj-1.0.0.36_32  obj-1.0.0.36_32 route-lookup



and now on 9.1(7) is:

nat (inside,outside) source static obj-1.0.0.36_32 obj-1.0.0.36_32
destination static obj-1.0.0.36_32 obj-1.0.0.36_32 *no-proxy-arp*
route-lookup













Best Regards,

_________________________________

Roberto Taccon



e-mail: roberto () ipnetworks it

mobile: +39 340 4751352

fax: +39 045 4850850

skype: roberto.taccon



-----Messaggio originale-----
Da: NANOG [mailto:nanog-bounces () nanog org] Per conto di Adrian M
Inviato: lunedì 15 febbraio 2016 10.06
A: nanog () nanog org
Oggetto: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and
IKEv2 Buffer Overflow Vulnerability



Solved !

"Disable Proxy ARP" must be checked on NAT bypass rules (former nat 0).



On Thu, Feb 11, 2016 at 3:53 PM, Adrian M <adrian.minta () gmail com> wrote:

Be careful, It appears that something is broken with ARP on this release.

We have no ARP on lan interface, and somebody else has a similar problem:

https://www.reddit.com/r/networking/comments/433kqx/cisco_asa_not_reco

rding_an_arp_entry/

On Wed, Feb 10, 2016 at 10:36 PM, Sadiq Saif <lists () sadiqs com> wrote:

Update your ASAs folks, this is a critical one.

-------- Forwarded Message --------

Subject: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1

and

IKEv2 Buffer Overflow Vulnerability

Date: Wed, 10 Feb 2016 08:06:51 -0800

From: Cisco Systems Product Security Incident Response Team

<psirt () cisco com>

Reply-To: psirt () cisco com

To: cisco-nsp () puck nether net

CC: psirt () cisco com

Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer

Overflow Vulnerability

Advisory ID: cisco-sa-20160210-asa-ike

Revision 1.0

For Public Release 2016 February 10 16:00  GMT (UTC)

+--------------------------------------------------------------------

+-

Summary

=======

A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and

IKE version 2 (v2) code of Cisco ASA Software could allow an

unauthenticated, remote attacker to cause a reload of the affected

system or to remotely execute code.

The vulnerability is due to a buffer overflow in the affected code area.

An attacker could exploit this vulnerability by sending crafted UDP

packets to the affected system. An exploit could allow the attacker

to execute arbitrary code and obtain full control of the system or to

cause a reload of the affected system.

Note: Only traffic directed to the affected system can be used to

exploit this vulnerability. This vulnerability affects systems

configured in routed firewall mode only and in single or multiple

context mode. This vulnerability can be triggered by IPv4 and IPv6

traffic.

Cisco has released software updates that address this vulnerability.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/

cisco-sa-20160210-asa-ike

_______________________________________________

cisco-nsp mailing list  cisco-nsp () puck nether net

https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/

Current thread:

Fwd: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability Sadiq Saif (Feb 10)
- Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability Adrian M (Feb 11)
  - Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability Andrew (Andy) Ashley (Feb 11)
    - Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability Dale W. Carder (Feb 11)
    - Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability Marco Teixeira (Feb 12)
  - Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability Adrian M (Feb 15)
    - Message not available
    - Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability Adrian M (Feb 15)