Critical Vuln.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
Time to get the upgrade... and upgrade!
This is why I hate finding gear on old code with no reboot for many years... hundreds of things on it that can get ripped up that are known patched vulnerabilities.
what security advisories are you guys running? I did not get an alert on this at all.
This came up in my Cisco RSS feed yesterday. Here's the URL... http://tools.cisco.com/security/center/psirtrss20/CiscoSecurityAdvisory.xml
It works in my news reader, but never worked well with the forums here as a feed piping into a thread.
Quote from: deanwebb on January 30, 2018, 10:42:54 AM
Time to get the upgrade... and upgrade!
Or migrate to a new vendor ;)
Quote from: SofaKing on January 30, 2018, 03:33:47 PM
Quote from: deanwebb on January 30, 2018, 10:42:54 AM
Time to get the upgrade... and upgrade!
Or migrate to a new vendor ;)
True, there's that... but most shops can't swap out the gear instantaneously. ;)
What a shit show it has been with the ASAs in the last years. I really wonder why anyone would still even consider buying these, unless they are really ignorant about all the exploits.
This affects Firepower/Sourcefire as well....
Quote from: SimonV on January 31, 2018, 03:07:24 AM
What a shit show it has been with the ASAs in the last years. I really wonder why anyone would still even consider buying these, unless they are really ignorant about all the exploits.
Along the lines of the "accounting is architecture" line in my sig, sometimes accounting is also a big part of the vendor selection process. I always hated to hear "We'll accept the risk" as a manager signed off on a less-expensive product that had security concerns. Sometimes, it's price that drives a decision. If a company only wants to tick all the boxes on the compliance checklist, they're not going to be overly concerned with bigger issues, like actual security.
Quote from: deanwebb on January 30, 2018, 02:54:33 PM
This came up in my Cisco RSS feed yesterday. Here's the URL... http://tools.cisco.com/security/center/psirtrss20/CiscoSecurityAdvisory.xml
It works in my news reader, but never worked well with the forums here as a feed piping into a thread.
Trying something new with it, hope it will populate properly in Vendor Advisories... we'll see...
Quote from: deanwebb on January 31, 2018, 11:17:38 AM
I always hated to hear "We'll accept the risk" as a manager signed off...
This guy has a great sense of humor and his videos are generally on-point:
https://www.youtube.com/watch?v=9IG3zqvUqJY&t=3s
ASA: if you want a crap firewall that has lots of vulnerabilites, next-to-no NGFW functions unless you bolt on a (separate) sourcefire VM, is earmarked for the graveyard (FTD is the future obviously) and couldn't even do routed VPNs (GRE over IPSEC) or even peer BGP until a few years ago. And oh no zones. And oh awful central management. And no GUI (do you count ASDM? LOL). And next to no automation / terrible API.
I suppose they are usually very stable, that's all the good things I have to say about ASAs.
The only reason they ever sold was because of the badge
soo..... I just found out about this:
https://www.cisco.com/c/en/us/support/web/tools/cns/notifications.html (https://www.cisco.com/c/en/us/support/web/tools/cns/notifications.html)
includes all EoL, Security, Bugs, etc, etc. NICE!
Quote from: LynK on February 01, 2018, 09:39:16 AM
soo..... I just found out about this:
https://www.cisco.com/c/en/us/support/web/tools/cns/notifications.html (https://www.cisco.com/c/en/us/support/web/tools/cns/notifications.html)
includes all EoL, Security, Bugs, etc, etc. NICE!
I used to use that for email notifications. Yes, was nice, a real PITA to go through all the selections to fine tune what is of value. I gave up on it because I started getting TCP vulnerabilities from like 17 years ago, more than a few times.
I contacted Cisco about this, and after many humble apologies, the issue was never fixed, so I let my email notifications expire.
Quote from: SofaKing on January 31, 2018, 02:51:40 PM
This guy has a great sense of humor and his videos are generally on-point:
https://www.youtube.com/watch?v=9IG3zqvUqJY&t=3s
I lol'd :smug:
Quote from: wintermute000 on February 01, 2018, 05:10:37 AM
ASA: if you want a crap firewall that has lots of vulnerabilites, next-to-no NGFW functions unless you bolt on a (separate) sourcefire VM, is earmarked for the graveyard (FTD is the future obviously) and couldn't even do routed VPNs (GRE over IPSEC) or even peer BGP until a few years ago. And oh no zones. And oh awful central management. And no GUI (do you count ASDM? LOL). And next to no automation / terrible API.
I suppose they are usually very stable, that's all the good things I have to say about ASAs.
The only reason they ever sold was because of the badge
Certifications have a hand in that, as well. It's easier to find someone that learned firewall stuff on an ASA than, say, a CheckPoint. Some firms make purchasing decisions influenced by their estimate of how easy/difficult it will be to find people that can support that technology.
Quote from: ristau5741 on February 01, 2018, 10:28:07 AM
Quote from: LynK on February 01, 2018, 09:39:16 AM
soo..... I just found out about this:
https://www.cisco.com/c/en/us/support/web/tools/cns/notifications.html (https://www.cisco.com/c/en/us/support/web/tools/cns/notifications.html)
includes all EoL, Security, Bugs, etc, etc. NICE!
I used to use that for email notifications. Yes, was nice, a real PITA to go through all the selections to fine tune what is of value. I gave up on it because I started getting TCP vulnerabilities from like 17 years ago, more than a few times.
I contacted Cisco about this, and after many humble apologies, the issue was never fixed, so I let my email notifications expire.
Agreed, had to let mine expire, as well. I don't mind getting a firehose turned on, so long as I can filter the flow.
Quote from: wintermute000 on February 01, 2018, 05:10:37 AM
I suppose they are usually very stable, that's all the good things I have to say about ASAs.
Based on that, still better that Fortinet? ;)
I don't have any issues with Fortinet, except
- performance figures are basically made up - you have to test with your exact feature-set in real life to be sure, I take 50% off the stated figure as a rule of thumb
- it can pretty much sort of do anything. Key being sort of - have to carefully qualify the exact feature you're concerned about
As a vendor they're pissing me off with the "we do SDWAN" push. Using scripts to configure autoVPN (basically standards based DMVPN) is not SDWAN. Unfortunately my mob has a very long established channel relationshp with Forti so we're obliged to give them the time of day
Oops - The fixed version we told you about last week isn't really fixed. Please update to the real fixed version.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
So all that patching you did last week you get to do again. woohoo!
-Otanx
Quote from: Otanx on February 05, 2018, 10:55:16 AM
Oops - The fixed version we told you about last week isn't really fixed. Please update to the real fixed version.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
So all that patching you did last week you get to do again. woohoo!
-Otanx
Whaaaaat? We gotta fix the fix?
:zomgwtfbbq:
Thanks, I have a maintenance window for tonight to upgrade a test box to the 9.1.7.21...
Anyconnect also vulnerable, exploit code is now on pastebin.
Thanks Cisco 8)
Do you have a link on the Anyconnect being vulnerable? The link I posted above says it is not.
-Otanx
it's in that link
Rather, the attack is launched using packets that look like they came from AnyConnect: https://www.nccgroup.trust/globalassets/newsroom/uk/events/2018/02/reconbrx2018-robin-hood-vs-cisco-asa.pdf
I did find a pastebin page, but folks around here may need to keep secret/top secret clearances, so I'm not posting the link to pastebin or allowing it. If you have to find it and don't need to worry about any clearances, use your Google-fu to find it.
From the link I posted
Quote
Products Confirmed Not Vulnerable
Cisco has confirmed that the AnyConnect Secure Mobility Client is not vulnerable.
No other Cisco products are currently known to be affected by this vulnerability.
[/qutote]
AnyConnect isn't vulnerable. An ASA that supports AnyConnect is.
-Otanx
The client itself, maybe? I was listening to this podcast when I posted.
www.youtube.com/watch?v=EsSEQOfTFj0
The presentation is specifically talking about Anyconnect, and webvpn is only briefly mentioned. And from the researchers' own press release:
QuoteThis vulnerability can only be triggered if remote AnyConnect or WebVPN access is enabled, which is a common configuration for these firewalls. Large enterprises or those with more sophisticated routers are potentially at more risk due to the increased capability for remote access.
That OR looks quite deliberate to me.
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/press-releases/2018/january/critical-security-vulnerability-found-in-business-firewalls/
Cisco also lists these features as vulnerable:
AnyConnect IKEv2 Remote Access (with client services)
AnyConnect IKEv2 Remote Access (without client services)
AnyConnect SSL VPN
Plus all sorts of other features that use HTTPS. At this point, I really doubt this is limited to webvpn alone.
@Wintermute000 - Appreciate reading your thoughts on Fortinet.
re: this exploit
I have been running 9.1.7.21 for the last week, now will be testing 9.1.7.23 in the lab today.
cheers - though obligatory "I am not a firewall specialist" disclaimer, I'm going off second-hand / my perception when overseeing a forti component of a larger engagement or as the RS consultant alongside the Sec consultant
OK, I got you now. Yes ASAs doing termination of Anyconnect Clients are vulnerable. The client itself is not. I just wanted to make sure I didn't miss patching anything. From the new notice it seems the bug is in the underlying XML parser so any features that do XML will be vulnerable. So web, VPN, ASDM, etc.
-Otanx
Quote from: Otanx on February 07, 2018, 09:30:57 AM
OK, I got you now. Yes ASAs doing termination of Anyconnect Clients are vulnerable. The client itself is not. I just wanted to make sure I didn't miss patching anything. From the new notice it seems the bug is in the underlying XML parser so any features that do XML will be vulnerable. So web, VPN, ASDM, etc.
-Otanx
Correct, it's in the hardware end, not the client end. And it's all the hardware, bigger stuff is more vulnerable than the smaller stuff.
This got added today:
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability that is described in this advisory. Cisco PSIRT is aware of attempted malicious use of the vulnerability described in this advisory.
You best be patching those ASAs, people! GOGOGOGO DOO EET NAO!!!
:explosion2:
Quote from: deanwebb on February 07, 2018, 10:24:50 AM
Quote from: Otanx on February 07, 2018, 09:30:57 AM
OK, I got you now. Yes ASAs doing termination of Anyconnect Clients are vulnerable. The client itself is not. I just wanted to make sure I didn't miss patching anything. From the new notice it seems the bug is in the underlying XML parser so any features that do XML will be vulnerable. So web, VPN, ASDM, etc.
-Otanx
Correct, it's in the hardware end, not the client end. And it's all the hardware, bigger stuff is more vulnerable than the smaller stuff.
if you are working for the gov like, me, since it's a critical vulnerability, everything must be patched, doesn't matter if it's vulnerable or not, it gets patched, to fill the security overlords patching checkboxes.
Quote from: deanwebb on February 07, 2018, 01:48:17 PM
This got added today:
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability that is described in this advisory. Cisco PSIRT is aware of attempted malicious use of the vulnerability described in this advisory.
You best be patching those ASAs, people! GOGOGOGO DOO EET NAO!!!
unfortunately, we need to test, with code that's less than 5 days out in public, and knowing how Cisco code has treated us in the past, it's a tough call to have 100% in Cisco, ( look what happened with the .21 release)
We like to keep all our stuff on common releases anyway. So the requirement to patch if vulnerable or not isn't an issue for us. It actually benefits us because I can wave the cyber requirement flag to get my windows approved.
-Otanx
Quote from: Otanx on February 07, 2018, 02:17:03 PM
We like to keep all our stuff on common releases anyway. So the requirement to patch if vulnerable or not isn't an issue for us. It actually benefits us because I can wave the cyber requirement flag to get my windows approved.
-Otanx
our team of 5 manage about 200 ASA firewalls of various models and trains, (I know :barf:)
between us we do a good amount of upgrades every month.
I don't think we ever get to finish a round, due to some vulnerability coming out every so frequently.
Ouch, that sucks. We are about the same size device count and staff, but 95% of ours are the same model.
-Otanx
Quote from: ristau5741 on February 07, 2018, 06:57:34 PM
Quote from: Otanx on February 07, 2018, 02:17:03 PM
We like to keep all our stuff on common releases anyway. So the requirement to patch if vulnerable or not isn't an issue for us. It actually benefits us because I can wave the cyber requirement flag to get my windows approved.
-Otanx
our team of 5 manage about 200 ASA firewalls of various models and trains, (I know :barf:)
between us we do a good amount of upgrades every month.
I don't think we ever get to finish a round, due to some vulnerability coming out every so frequently.
That last bit is a serious, serious issue. Dang.
Quote from: deanwebb on February 08, 2018, 06:05:24 PM
Quote from: ristau5741 on February 07, 2018, 06:57:34 PM
I don't think we ever get to finish a round, due to some vulnerability coming out every so frequently.
That last bit is a serious, serious issue. Dang.
not so bad, were loading 9.1.7.16 now to stop that 215 day bug, next week as we continue, we'll start loading 9.1.7.23, then jump back around to do the ones running 9.1.7.16.