CVE-2014-3383

Vulnerability

The vulnerability resides in the IKE implementation of the VPN component in Cisco ASA Software version 9.1 prior to 9.1(5.1) (Bug ID CSCul36176). The bug is triggered when the device is configured to terminate IKEv1 or IKEv2 VPN connections, including LAN-to-LAN, Remote Access VPN via IPSec VPN client, IKEv2 AnyConnect VPN, and L2TP over IPSec VPN connections [1]. The vulnerable code path is reachable by sending crafted UDP packets to the affected interface [1].

Exploitation

An attacker does not need authentication; the attack is performed remotely over the network. The attacker sends crafted UDP packets to a Cisco ASA device that is configured to terminate IKEv1 or IKEv2 VPN connections. No user interaction or special privilege is required. The IKE service processes the malformed packets, leading to a denial of service condition [1].

Impact

A successful exploit causes the Cisco ASA device to reload, resulting in a denial of service (DoS). The impact is limited to availability; the attacker does not gain information disclosure, code execution, or privilege escalation. The device reboots and may result in temporary disruption of VPN and other network services [1].

Mitigation

Cisco fixed this vulnerability in ASA Software version 9.1(5.1) and later [1]. Organizations should upgrade to a fixed version. As a workaround, administrators can restrict IKE traffic to trusted sources using access-lists or other network-level controls. No KEV listing was observed for this CVE. The advisory also notes that the vulnerability is separate from other DoS issues in the same advisory [1].