[c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

[Garry]

Hi,
> On Wed, 2016-02-10 at 08:06 -0800, psirt at cisco.com wrote:
>> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer
>> Overflow Vulnerability
>>
>> Advisory ID: cisco-sa-20160210-asa-ike
> Poor bastards stuck at 8.2 (like us) might be relieved to know that
> there actually is a 8.2(5)59 version with the fix. Reading the SA page
> I got the impression that there was no fixed software for 8.2(5).
Thanks for the find, same situation we were in (well, several of our
customers rather) - reading the advisory, it clearly states anything 8.x
except 8.4 is recommended to go to 9.1 (yeah, right! Not opening that
can^H^H^H crate of worms! Or more like Pandora's box?). Apart from at
least one system that only has 256M of RAM (and therefore can't go to
anything higher than 8.2 AFAIK), even going to the mentioned 8.4.7(30)
caused some problems due to incorrectly (or incomplete) config migration
for several systems ... of course it could be fixed, but still ...
And yes, the systems should be kept more current, but seeing what
happens when you do update more or less confirms the old saying "never
change a running system" ... sadly ...

Still, if Cisco publishes an interim that fixes this disastrous flaw and
is not at least following up on their announcement (8.2.5(59) was
released 3 days after the initial notification was published), it's sort
of a pain for users ... even the advisory on the web page hasn't been
updated to at least list the option of using the interim ... :(

-garry