[c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

David White, Jr. (dwhitejr) dwhitejr at cisco.com
Tue Feb 16 14:30:50 EST 2016

That's correct, and covered by the bug I provided below.

Please note, we just posted 9.1(6.11), which contains the fix to the 
vulnerability, but does not have the APR bug in it (or the SNMP one).



On 2/16/16 2:21 PM, Jan Gregor wrote:
> Hi David,
> yeah, that fixed it, but it seems that there is some issue there after
> all. The thing is I had "sysopt noproxyarp DMZ" in my configuration ,
> which should have prevented this behaviour. Apparently it did not.
> I am already working on this with your colleague from TAC .
> Best regards,
> Jan
> On 02/16/2016 03:57 PM, David White, Jr. (dwhitejr) wrote:
>> Hi Jan,
>> The 'solution' to the below issue is to add the keyword no-proxy-arp to
>> the nat rule.
>> Due to the fix for bug CSCuc11186
>> <https://tools.cisco.com/bugsearch/bug/CSCuc11186>, if the ASA receives
>> an ARP packet from an IP which is in your nat rule, then it will not
>> reply to it.  This happens with overly broad NAT rules.  Adding the
>> "no-proxy-arp" keyword to the nat rule will fix this issue.
>> Hope it helps,
>> David.

More information about the cisco-nsp mailing list