[c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
David White, Jr. (dwhitejr)
dwhitejr at cisco.com
Tue Feb 16 14:30:50 EST 2016
That's correct, and covered by the bug I provided below.
Please note, we just posted 9.1(6.11), which contains the fix to the
vulnerability, but does not have the APR bug in it (or the SNMP one).
Sincerely,
David.
On 2/16/16 2:21 PM, Jan Gregor wrote:
> Hi David,
>
> yeah, that fixed it, but it seems that there is some issue there after
> all. The thing is I had "sysopt noproxyarp DMZ" in my configuration ,
> which should have prevented this behaviour. Apparently it did not.
>
> I am already working on this with your colleague from TAC .
>
>
> Best regards,
>
> Jan
>
>
> On 02/16/2016 03:57 PM, David White, Jr. (dwhitejr) wrote:
>> Hi Jan,
>>
>> The 'solution' to the below issue is to add the keyword no-proxy-arp to
>> the nat rule.
>>
>> Due to the fix for bug CSCuc11186
>> <https://tools.cisco.com/bugsearch/bug/CSCuc11186>, if the ASA receives
>> an ARP packet from an IP which is in your nat rule, then it will not
>> reply to it. This happens with overly broad NAT rules. Adding the
>> "no-proxy-arp" keyword to the nat rule will fix this issue.
>>
>> Hope it helps,
>>
>> David.
More information about the cisco-nsp
mailing list