CVE-2016-1287
critical-risk
Published 2016-02-11
Buffer overflow in the IKEv1 and IKEv2 implementations in Cisco ASA Software before 8.4(7.30), 8.7 before 8.7(1.18), 9.0 before 9.0(4.38), 9.1 before 9.1(7), 9.2 before 9.2(4.5), 9.3 before 9.3(3.7), 9.4 before 9.4(2.4), and 9.5 before 9.5(2.2) on ASA 5500 devices, ASA 5500-X devices, ASA Services Module for Cisco Catalyst 6500 and Cisco 7600 devices, ASA 1000V devices, Adaptive Security Virtual Appliance (aka ASAv), Firepower 9300 ASA Security Module, and ISA 3000 devices allows remote attackers to execute arbitrary code or cause a denial of service (device reload) via crafted UDP packets, aka Bug IDs CSCux29978 and CSCux42019.
Do I need to act?
!
89.8% chance of exploitation in next 30 days
EPSS score — higher than 10% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (20)
Affected Vendors
References (12)
Third Party Advisory
http://www.securitytracker.com/id/1034997
Third Party Advisory
https://www.kb.cert.org/vuls/id/327976
Third Party Advisory
http://www.securitytracker.com/id/1034997
Third Party Advisory
https://www.kb.cert.org/vuls/id/327976
92
/ 100
critical-risk
Severity
32/34 · Critical
Exploitability
27/34 · High
Exposure
33/34 · Critical