If you are running Cisco WebVPN

mlan · February 01, 2018, 12:14:58 PM

Quote from: wintermute000 on February 01, 2018, 05:10:37 AM
I suppose they are usually very stable, that's all the good things I have to say about ASAs.

Based on that, still better that Fortinet?

wintermute000 · February 03, 2018, 01:50:44 AM

I don't have any issues with Fortinet, except
- performance figures are basically made up - you have to test with your exact feature-set in real life to be sure, I take 50% off the stated figure as a rule of thumb
- it can pretty much sort of do anything. Key being sort of - have to carefully qualify the exact feature you're concerned about

As a vendor they're pissing me off with the "we do SDWAN" push. Using scripts to configure autoVPN (basically standards based DMVPN) is not SDWAN. Unfortunately my mob has a very long established channel relationshp with Forti so we're obliged to give them the time of day

Otanx · February 05, 2018, 10:55:16 AM

Oops - The fixed version we told you about last week isn't really fixed. Please update to the real fixed version.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

So all that patching you did last week you get to do again. woohoo!

-Otanx

deanwebb · February 05, 2018, 11:01:27 AM

Quote from: Otanx on February 05, 2018, 10:55:16 AM
Oops - The fixed version we told you about last week isn't really fixed. Please update to the real fixed version.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

So all that patching you did last week you get to do again. woohoo!

-Otanx

Whaaaaat? We gotta fix the fix?

icecream-guy · February 05, 2018, 01:38:48 PM

Thanks, I have a maintenance window for tonight to upgrade a test box to the 9.1.7.21...

SimonV · February 06, 2018, 02:38:11 AM

Anyconnect also vulnerable, exploit code is now on pastebin.

Thanks Cisco

Otanx · February 06, 2018, 09:23:25 AM

Do you have a link on the Anyconnect being vulnerable? The link I posted above says it is not.

-Otanx

icecream-guy · February 06, 2018, 10:39:43 AM

it's in that link

deanwebb · February 06, 2018, 12:17:24 PM

Rather, the attack is launched using packets that look like they came from AnyConnect: https://www.nccgroup.trust/globalassets/newsroom/uk/events/2018/02/reconbrx2018-robin-hood-vs-cisco-asa.pdf

I did find a pastebin page, but folks around here may need to keep secret/top secret clearances, so I'm not posting the link to pastebin or allowing it. If you have to find it and don't need to worry about any clearances, use your Google-fu to find it.

Otanx · February 06, 2018, 12:52:08 PM

From the link I posted

Quote
Products Confirmed Not Vulnerable
Cisco has confirmed that the AnyConnect Secure Mobility Client is not vulnerable.

No other Cisco products are currently known to be affected by this vulnerability.
[/qutote]

AnyConnect isn't vulnerable. An ASA that supports AnyConnect is.

-Otanx

SimonV · February 06, 2018, 01:49:41 PM

The client itself, maybe? I was listening to this podcast when I posted.

www.youtube.com/watch?v=EsSEQOfTFj0

The presentation is specifically talking about Anyconnect, and webvpn is only briefly mentioned. And from the researchers' own press release:

QuoteThis vulnerability can only be triggered if remote AnyConnect or WebVPN access is enabled, which is a common configuration for these firewalls. Large enterprises or those with more sophisticated routers are potentially at more risk due to the increased capability for remote access.

That OR looks quite deliberate to me.

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/press-releases/2018/january/critical-security-vulnerability-found-in-business-firewalls/

Cisco also lists these features as vulnerable:

AnyConnect IKEv2 Remote Access (with client services)
AnyConnect IKEv2 Remote Access (without client services)
AnyConnect SSL VPN

Plus all sorts of other features that use HTTPS. At this point, I really doubt this is limited to webvpn alone.

mlan · February 06, 2018, 01:53:58 PM

@Wintermute000 - Appreciate reading your thoughts on Fortinet.

re: this exploit

I have been running 9.1.7.21 for the last week, now will be testing 9.1.7.23 in the lab today.

wintermute000 · February 06, 2018, 04:17:43 PM

cheers - though obligatory "I am not a firewall specialist" disclaimer, I'm going off second-hand / my perception when overseeing a forti component of a larger engagement or as the RS consultant alongside the Sec consultant

Otanx · February 07, 2018, 09:30:57 AM

OK, I got you now. Yes ASAs doing termination of Anyconnect Clients are vulnerable. The client itself is not. I just wanted to make sure I didn't miss patching anything. From the new notice it seems the bug is in the underlying XML parser so any features that do XML will be vulnerable. So web, VPN, ASDM, etc.

-Otanx

deanwebb · February 07, 2018, 10:24:50 AM

Quote from: Otanx on February 07, 2018, 09:30:57 AM
OK, I got you now. Yes ASAs doing termination of Anyconnect Clients are vulnerable. The client itself is not. I just wanted to make sure I didn't miss patching anything. From the new notice it seems the bug is in the underlying XML parser so any features that do XML will be vulnerable. So web, VPN, ASDM, etc.

-Otanx

Correct, it's in the hardware end, not the client end. And it's all the hardware, bigger stuff is more vulnerable than the smaller stuff.