16 new Cisco advisories

icecream-guy · September 29, 2016, 07:30:04 AM

bunch of new Cisco advisories this morning, since yesterday 18 total 16 new. so get cracking...
9 of the new ones rated high

deanwebb · September 29, 2016, 07:31:26 AM

Asking only half-jokingly... is the best remediation to switch vendors?

wintermute000 · September 29, 2016, 07:33:57 AM

The problem is that you don't know what everyone else is either not disclosing, or not realising they are vulnerable to.

Still, its not a great look. I thank the stars I'm not in an operational role anymore.... after awhile though its just a blur (vulnerability after vulnerability) and heaps of places don't bother patching anything not directly internet facing unless they are actively impacted by a bug / need a new feature.

Lets face it, even with a 6 month patch cycle you're still behind the curve, heck 3 month. Unfortunately network gear are all pets not cattle, you can't just bounce them all the time and only the big iron has SSO/NSF.

Not to mention with the quality of the code we've been getting over the last 4-5 years.... what a crapshoot, especially in certain product lines *cough wireless cough*

deanwebb · September 29, 2016, 07:43:50 AM

Wow, Wintermute, that cough sounded like words...

But, yes, shops can install code like DevOps over and over and over again... UNTIL... there's a big outage. Then, test that patch in dev and integration environments for a month before even *thinking* of getting a change request submitted...

And, meanwhile, the security press screams about how devices go unpatched.

icecream-guy · September 29, 2016, 07:45:04 AM

work keeps threatening to put the results of the nessus scan onto a dashboard for "higher ups" to see. I keep tracking vulnerabilities, and shipping them off to the security folks. Users don't like when their stuff breaks due to a device reload. so stuff keeps getting pushed and pushed and my list gets longer and longer.

deanwebb · September 29, 2016, 07:59:52 AM

"I just reduced our Internet vulnerability by 25%."

"Awesome, what did you do?"

"Unplugged the Internet connection for 6 hours a day."

icecream-guy · September 29, 2016, 10:40:25 AM

it was just the bi-annual Cisco announcement, NBD. I though that came out last week. I thought it was the 3rd Wednesday of September.

burnyd · September 29, 2016, 12:51:16 PM

Quote from: wintermute000 on September 29, 2016, 07:33:57 AM
The problem is that you don't know what everyone else is either not disclosing, or not realising they are vulnerable to.

Still, its not a great look. I thank the stars I'm not in an operational role anymore.... after awhile though its just a blur (vulnerability after vulnerability) and heaps of places don't bother patching anything not directly internet facing unless they are actively impacted by a bug / need a new feature.

Lets face it, even with a 6 month patch cycle you're still behind the curve, heck 3 month. Unfortunately network gear are all pets not cattle, you can't just bounce them all the time and only the big iron has SSO/NSF.

Not to mention with the quality of the code we've been getting over the last 4-5 years.... what a crapshoot, especially in certain product lines *cough wireless cough*

Otanx · September 29, 2016, 03:18:14 PM

The high categorization is also kind of misleading. Most if not all the the new announcements were for "crafted packet causes DoS" but the details about that crafted packet are not available, and have not been seen in the wild by Cisco. So it would require a high level of skill to figure out how to craft the packet to exploit the issue, and all you get for your hard work is a reboot of the box. As an attacker I could just pay the guys that took down Krebs site to attack you. Much easier that way, and I can then go golfing.

-Otanx

Dieselboy · September 30, 2016, 08:12:34 PM

Quote from: Otanx on September 29, 2016, 03:18:14 PM
The high categorization is also kind of misleading. Most if not all the the new announcements were for "crafted packet causes DoS" but the details about that crafted packet are not available, and have not been seen in the wild by Cisco. So it would require a high level of skill to figure out how to craft the packet to exploit the issue, and all you get for your hard work is a reboot of the box. As an attacker I could just pay the guys that took down Krebs site to attack you. Much easier that way, and I can then go golfing.

-Otanx

There was that ASA SNMP vulnerability a little while ago. My colleage was kicking up a fuss to me about it whilst making comments like "omg!" and "oh crap!" as he was reading. But the vulnerability would ONLY come into play if the ASA was configured to allow SNMP from the source host IP or subnet. So if you only allow SNMP for specific host(s) then you're not affected (unless that host is compromised and an attack comes from that host).

Although may be the high criticality on that one was to cover anyone using SNMP across the internet? Cough SNMPv3 cough...

Think I caught something from wintermute.

wintermute000 · September 30, 2016, 08:25:13 PM

You're forgetting crafted/spoofed attack vector

Dieselboy · October 01, 2016, 06:01:07 AM

yea good point. Would snmpv3 encrypt the data so you couldn't tell it was snmp traffic? You would have to change the listen snmp port as well so it was just "some kind of udp" traffic in case it's sniffed.

Otanx · October 01, 2016, 04:44:18 PM

SNMPv3 encrypts the data, but the problem with the SNMP vulnerability is that because it is UDP I can just spoof an IP that is on the ACL. There are still other mitigations like uRPF, but it isn't fool proof. If that is the SNMP vulnerability I think you are talking about then the other bad thing was exploit code was released so it is now much easier to do.

-Otanx

icecream-guy · October 06, 2016, 05:53:47 AM

like 17 more new ones just announced yesterday

deanwebb · October 06, 2016, 08:00:01 AM

The whole world needs to take an outage on 1 December and just upgrade EVERYTHING. EVERYTHING. All the patches, no excuses. Just do it.