[c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

Jared Mauch jared at puck.nether.net
Tue Feb 16 10:38:24 EST 2016


We’ve been having some interesting issues with the ASA that have kept us pegged at a specific release.  Upgrading even a minor release causes all traffic to be dropped without any clear explanation and TAC was not much help.  I’m thinking of just replacing the ASA with something that is easier to troubleshoot.

- Jared

> On Feb 16, 2016, at 10:35 AM, David White, Jr. (dwhitejr) <dwhitejr at cisco.com> wrote:
> 
> Sounds like CSCux15273 - inaccurate reporting of memory usage in 9.5(2)+
> 
> Sincerely,
> 
> David.
> 
> On 2/16/16 10:28 AM, Don Nightingale wrote:
>> I'm seeing this as well on our 5555 pair we upgraded 2/11 to 9.5(2)2.
>> Memory usage is slowly reported as increasing.  It's currently
>> breaking the asdm memory graph, displaying 450% memory utilization to
>> syslog and showing ridiculous numbers from the cli:
>> 
>> ciscoasa# sho mem
>> Free memory:      18446744044457691540 bytes (248730157%)
>> Used memory:       37261147072 bytes (-248730057%)
>> -------------     ------------------
>> Total memory:       7416356372 bytes (100%)
>> 
>> 
>> 
>> It's still operating so it may be either a cosmetic bug or a canary
>> that will keep me busy sometime in the near future.
>> 
>> We have an open tac case as well.
>> 
>> --
>> Don
>> 
>>> On Feb 16, 2016, at 3:08 AM, Andrew (Andy) Ashley <andrew.a at aware.co.th> wrote:
>>> 
>>> Hi,
>>> 
>>> We upgraded a pair of 5515-X’s from 9.2(1) to 9.5(2)2, the interim release, on Saturday.
>>> Since then the free memory on the primary unit has been steadily decreasing (30% -> 95% in 3 days).
>>> These small increases appear to be happening around every 30 minutes or so.
>>> We failed over to the standby, which had much lower memory usage but that too is now creeping up.
>>> The previous primary unit did not reclaim any memory and did not stop climbing either after fail over.
>>> 
>>> Have opened a TAC case but Wondering if it’s just us, or if this is affecting others..
>>> 
>>> Regards,
>>> Andrew Ashley
>>> 
>>> 
>>> 
>>> 
>>> -----Original Message-----
>>> From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> on behalf of Garry <gkg at gmx.de>
>>> Date: Tuesday, 16 February 2016 at 14:49
>>> To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
>>> Subject: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
>>> 
>>>> Hi,
>>>>>> On Wed, 2016-02-10 at 08:06 -0800, psirt at cisco.com wrote:
>>>>>> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer
>>>>>> Overflow Vulnerability
>>>>>> 
>>>>>> Advisory ID: cisco-sa-20160210-asa-ike
>>>>> Poor bastards stuck at 8.2 (like us) might be relieved to know that
>>>>> there actually is a 8.2(5)59 version with the fix. Reading the SA page
>>>>> I got the impression that there was no fixed software for 8.2(5).
>>>> Thanks for the find, same situation we were in (well, several of our
>>>> customers rather) - reading the advisory, it clearly states anything 8.x
>>>> except 8.4 is recommended to go to 9.1 (yeah, right! Not opening that
>>>> can^H^H^H crate of worms! Or more like Pandora's box?). Apart from at
>>>> least one system that only has 256M of RAM (and therefore can't go to
>>>> anything higher than 8.2 AFAIK), even going to the mentioned 8.4.7(30)
>>>> caused some problems due to incorrectly (or incomplete) config migration
>>>> for several systems ... of course it could be fixed, but still ...
>>>> And yes, the systems should be kept more current, but seeing what
>>>> happens when you do update more or less confirms the old saying "never
>>>> change a running system" ... sadly ...
>>>> 
>>>> Still, if Cisco publishes an interim that fixes this disastrous flaw and
>>>> is not at least following up on their announcement (8.2.5(59) was
>>>> released 3 days after the initial notification was published), it's sort
>>>> of a pain for users ... even the advisory on the web page hasn't been
>>>> updated to at least list the option of using the interim ... :(
>>>> 
>>>> -garry
>>>> 
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list