Summary

• A vulnerability in the IPsec code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause the depletion of a memory block, which may cause the system to stop forwarding traffic and result in a denial of service (DoS) condition.
  
  The vulnerability is due to an error in the implementation of ICMP error handling for IPsec packets. An attacker could exploit this vulnerability by sending crafted packets through an established LAN-to-LAN or Remote Access VPN tunnel. A successful exploit could allow the attacker to deplete available memory and cause system instability or cause the system to stop forwarding traffic.
  
  Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
  
  This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160517-asa-vpn

Affected Products

• Cisco ASA Software is affected by this vulnerability if the system is configured for Internet Key Exchange Version 1 (IKEv1) or Internet Key Exchange Version 2 (IKEv2) LAN-to-LAN VPN or IKEv1 or IKEv2 Remote Access VPN with Layer 2 Tunneling Protocol and IPsec (L2TP-IPsec), and the set validate-icmp-errors command is configured in the crypto map. The set validate-icmp-errors command is not configured by default.
  
  To determine whether the set validate-icmp-errors command is configured, administrators can issue the show run | set validate-icmp-errors command and verify that the command returns output.
  
  Cisco ASA Software that is configured for Clientless VPN or AnyConnect SSL VPN is not affected by this vulnerability.

  Vulnerable Products

  Cisco ASA Software releases 9.0 and later are affected by this vulnerability.

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by this vulnerability.

Workarounds

• There are no workarounds that address this vulnerability.

Fixed Software

• When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
  
  In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  Customers should upgrade to an appropriate release as indicated in the following table. In the table, the left column lists major releases of Cisco ASA Software. The right column indicates whether a major release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability.
  
  

  Cisco ASA Major Release	First Fixed Release
  Prior to 9.0	Not affected
  9.0	9.0(4.39)
  9.1	9.1(6.9)
  9.2	9.2(4.1)
  9.3	9.3(3.9)
  9.4	9.4(2)
  9.5	9.5(1.4)
  9.6	Not affected

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

• This vulnerability was found during the resolution of support cases.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160517-asa-vpn

Revision History

• Version	Description	Section	Status	Date
  1.0	Initial public release.	—	Final	2016-May-17

  Show Less