VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 28, 2016· Updated May 6, 2026

CVE-2016-1379

CVE-2016-1379

Description

Cisco Adaptive Security Appliance (ASA) Software 9.0 through 9.5.1 mishandles IPsec error processing, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted (1) LAN-to-LAN or (2) Remote Access VPN tunnel packets, aka Bug ID CSCuv70576.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cisco ASA Software 9.0-9.5.1 mishandles IPsec ICMP error processing, allowing authenticated remote attackers to trigger memory exhaustion and DoS via crafted VPN tunnel packets.

Vulnerability

Cisco Adaptive Security Appliance (ASA) Software versions 9.0 through 9.5.1 incorrectly process ICMP error messages for IPsec packets. The flaw resides in the IPsec code path triggered when the set validate-icmp-errors command is configured in a crypto map for IKEv1 or IKEv2 LAN-to-LAN or Remote Access VPN tunnels (including L2TP-IPsec). This command is not enabled by default. Affected products include Cisco ASA Software configured for IKEv1/IKEv2 VPN with the validate-icmp-errors feature [1].

Exploitation

An authenticated remote attacker with VPN tunnel access can send crafted packets through an established LAN-to-LAN or Remote Access VPN tunnel. The attacker must have the ability to inject IP packets that will be processed as ICMP errors by the ASA. The attacker does not need additional privileges beyond authentication to the VPN tunnel [1].

Impact

Successful exploitation causes the depletion of a memory block in the ASA, leading to system instability and eventually a denial of service (DoS) condition where the device stops forwarding traffic. The attack does not allow data disclosure or code execution; it only impairs availability [1].

Mitigation

Cisco released software updates to address this vulnerability. Administrators should upgrade to a fixed version (see Cisco Security Advisory cisco-sa-20160517-asa-vpn). There are no workarounds; however, the vulnerable feature set validate-icmp-errors is not enabled by default. Removing this command from crypto maps can prevent exploitation. No KEV listing is known [1].

References
  1. Cisco Security Advisory: Cisco Adaptive Security Appliance VPN Memory Block Exhaustion Vulnerability

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

69
  • Cisco Systems, Inc./Cisco Adaptive Security Appliance68 versions
    cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.1:*:*:*:*:*:*:*+ 67 more
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.2.10:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.3:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.3.6:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.3.8:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.4:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.4.1:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.4.17:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.4.20:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.4.24:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.4.26:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.4.29:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.4.33:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.4.35:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.4.37:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.4.5:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.0.4.7:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.1.4:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.2:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.2.8:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.3:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.4:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.4.5:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.5:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.5.10:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.5.12:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.5.15:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.5.21:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.6:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.6.1:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.6.4:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.6.6:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.1.6.8:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.2\(0.0\):*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.2\(0.104\):*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.2.2:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.2.2.4:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.2.2.7:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.2.2.8:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.2.3:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.2\(3.1\):*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.2.3.3:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.2.3.4:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.2.4:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.3.1:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.3.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.3\(1.105\):*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.3\(1.50\):*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.3.2:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.3\(2.100\):*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.3.2.2:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.3\(2.243\):*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.3.3:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.3.3.1:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.3.3.2:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.3.3.5:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.3.3.6:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.4.0.115:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.4.1:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.4.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.4.1.2:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.4.1.3:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.4.1.5:*:*:*:*:*:*:*
    • cpe:2.3:o:cisco:adaptive_security_appliance_software:9.5.1:*:*:*:*:*:*:*
  • Cisco Systems, Inc./Adaptive Security Appliance (ASA) Softwarellm-fuzzy
    Range: 9.0 - 9.5.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.