16 new Cisco advisories

Started by icecream-guy, September 29, 2016, 07:30:04 AM

Previous topic - Next topic

icecream-guy

bunch of new Cisco advisories this morning, since yesterday 18 total 16 new. so get cracking...
9 of the new ones rated high
:professorcat:

My Moral Fibers have been cut.

deanwebb

Asking only half-jokingly... is the best remediation to switch vendors?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

#2
The problem is that you don't know what everyone else is either not disclosing, or not realising they are vulnerable to.

Still, its not a great look. I thank the stars I'm not in an operational role anymore.... after awhile though its just a blur (vulnerability after vulnerability) and heaps of places don't bother patching anything not directly internet facing unless they are actively impacted by a bug / need a new feature.

Lets face it, even with a 6 month patch cycle you're still behind the curve, heck 3 month. Unfortunately network gear are all pets not cattle, you can't just bounce them all the time and only the big iron has SSO/NSF.


Not to mention with the quality of the code we've been getting over the last 4-5 years.... what a crapshoot, especially in certain product lines *cough wireless cough*

deanwebb

Wow, Wintermute, that cough sounded like words...

But, yes, shops can install code like DevOps over and over and over again... UNTIL... there's a big outage. Then, test that patch in dev and integration environments for a month before even *thinking* of getting a change request submitted...

And, meanwhile, the security press screams about how devices go unpatched.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

work keeps threatening to put the results of the nessus scan onto a dashboard for "higher ups" to see. I keep tracking vulnerabilities, and shipping them off to the security folks. Users don't like when their stuff breaks due to a device reload. so stuff keeps getting pushed and pushed and my list gets longer and longer.
:professorcat:

My Moral Fibers have been cut.

deanwebb

"I just reduced our Internet vulnerability by 25%."

"Awesome, what did you do?"

"Unplugged the Internet connection for 6 hours a day."
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

it was just the bi-annual Cisco announcement, NBD.  I though that came out last week. I thought it was the 3rd Wednesday of September.
:professorcat:

My Moral Fibers have been cut.

burnyd

Quote from: wintermute000 on September 29, 2016, 07:33:57 AM
The problem is that you don't know what everyone else is either not disclosing, or not realising they are vulnerable to.

Still, its not a great look. I thank the stars I'm not in an operational role anymore.... after awhile though its just a blur (vulnerability after vulnerability) and heaps of places don't bother patching anything not directly internet facing unless they are actively impacted by a bug / need a new feature.

Lets face it, even with a 6 month patch cycle you're still behind the curve, heck 3 month. Unfortunately network gear are all pets not cattle, you can't just bounce them all the time and only the big iron has SSO/NSF.


Not to mention with the quality of the code we've been getting over the last 4-5 years.... what a crapshoot, especially in certain product lines *cough wireless cough*

:banana: :banana: :banana: :banana: :banana: :banana: :banana: :banana: :banana: :banana: :banana: :banana: :banana:

Otanx

The high categorization is also kind of misleading. Most if not all the the new announcements were for "crafted packet causes DoS" but the details about that crafted packet are not available, and have not been seen in the wild by Cisco. So it would require a high level of skill to figure out how to craft the packet to exploit the issue, and all you get for your hard work is a reboot of the box. As an attacker I could just pay the guys that took down Krebs site to attack you. Much easier that way, and I can then go golfing.

-Otanx

Dieselboy

Quote from: Otanx on September 29, 2016, 03:18:14 PM
The high categorization is also kind of misleading. Most if not all the the new announcements were for "crafted packet causes DoS" but the details about that crafted packet are not available, and have not been seen in the wild by Cisco. So it would require a high level of skill to figure out how to craft the packet to exploit the issue, and all you get for your hard work is a reboot of the box. As an attacker I could just pay the guys that took down Krebs site to attack you. Much easier that way, and I can then go golfing.

-Otanx

There was that ASA SNMP vulnerability a little while ago. My colleage was kicking up a fuss to me about it whilst making comments like "omg!" and "oh crap!" as he was reading. But the vulnerability would ONLY come into play if the ASA was configured to allow SNMP from the source host IP or subnet. So if you only allow SNMP for specific host(s) then you're not affected (unless that host is compromised and an attack comes from that host).

Although may be the high criticality on that one was to cover anyone using SNMP across the internet? Cough SNMPv3 cough...

Think I caught something from wintermute.

wintermute000

You're forgetting crafted/spoofed attack vector

Dieselboy

yea good point. Would snmpv3 encrypt the data so you couldn't tell it was snmp traffic? You would have to change the listen snmp port as well so it was just "some kind of udp" traffic in case it's sniffed.

Otanx

SNMPv3 encrypts the data, but the problem with the SNMP vulnerability is that because it is UDP I can just spoof an IP that is on the ACL. There are still other mitigations like uRPF, but it isn't fool proof. If that is the SNMP vulnerability I think you are talking about then the other bad thing was exploit code was released so it is now much easier to do.

-Otanx

icecream-guy

like 17 more new ones just announced yesterday  :barf:
:professorcat:

My Moral Fibers have been cut.

deanwebb

The whole world needs to take an outage on 1 December and just upgrade EVERYTHING. EVERYTHING. All the patches, no excuses. Just do it.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.