If you are running Cisco WebVPN

Started by icecream-guy, January 30, 2018, 06:30:58 AM

Previous topic - Next topic

mlan

Quote from: wintermute000 on February 01, 2018, 05:10:37 AM
I suppose they are usually very stable, that's all the good things I have to say about ASAs.

Based on that, still better that Fortinet? ;)

wintermute000

I don't have any issues with Fortinet, except
- performance figures are basically made up - you have to test with your exact feature-set in real life to be sure, I take 50% off the stated figure as a rule of thumb
- it can pretty much sort of do anything. Key being sort of - have to carefully qualify the exact feature you're concerned about


As a vendor they're pissing me off with the "we do SDWAN" push. Using scripts to configure autoVPN (basically standards based DMVPN) is not SDWAN. Unfortunately my mob has a very long established channel relationshp with Forti so we're obliged to give them the time of day

Otanx

Oops - The fixed version we told you about last week isn't really fixed. Please update to the real fixed version.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

So all that patching you did last week you get to do again.  woohoo!

-Otanx

deanwebb

Quote from: Otanx on February 05, 2018, 10:55:16 AM
Oops - The fixed version we told you about last week isn't really fixed. Please update to the real fixed version.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

So all that patching you did last week you get to do again.  woohoo!

-Otanx


Whaaaaat? We gotta fix the fix?

:zomgwtfbbq:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

Thanks, I have a maintenance window for tonight to upgrade a test box to the 9.1.7.21...
:professorcat:

My Moral Fibers have been cut.

SimonV

Anyconnect also vulnerable, exploit code is now on pastebin.

Thanks Cisco  8)

Otanx

Do you have a link on the Anyconnect being vulnerable? The link I posted above says it is not.

-Otanx

icecream-guy

:professorcat:

My Moral Fibers have been cut.

deanwebb

Rather, the attack is launched using packets that look like they came from AnyConnect:  https://www.nccgroup.trust/globalassets/newsroom/uk/events/2018/02/reconbrx2018-robin-hood-vs-cisco-asa.pdf

I did find a pastebin page, but folks around here may need to keep secret/top secret clearances, so I'm not posting the link to pastebin or allowing it. If you have to find it and don't need to worry about any clearances, use your Google-fu to find it.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

From the link I posted

Quote
Products Confirmed Not Vulnerable
Cisco has confirmed that the AnyConnect Secure Mobility Client is not vulnerable.

No other Cisco products are currently known to be affected by this vulnerability.
[/qutote]

AnyConnect isn't vulnerable. An ASA that supports AnyConnect is.

-Otanx

SimonV

The client itself, maybe? I was listening to this podcast when I posted.

www.youtube.com/watch?v=EsSEQOfTFj0

The presentation is specifically talking about Anyconnect, and webvpn is only briefly mentioned. And from the researchers' own press release:

QuoteThis vulnerability can only be triggered if remote AnyConnect or WebVPN access is enabled, which is a common configuration for these firewalls. Large enterprises or those with more sophisticated routers are potentially at more risk due to the increased capability for remote access.

That OR looks quite deliberate to me.

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/press-releases/2018/january/critical-security-vulnerability-found-in-business-firewalls/

Cisco also lists these features as vulnerable:

AnyConnect IKEv2 Remote Access (with client services)
AnyConnect IKEv2 Remote Access (without client services)
AnyConnect SSL VPN

Plus all sorts of other features that use HTTPS. At this point, I really doubt this is limited to webvpn alone.

mlan

@Wintermute000 - Appreciate reading your thoughts on Fortinet.

re: this exploit

I have been running 9.1.7.21 for the last week, now will be testing 9.1.7.23 in the lab today.

wintermute000

cheers - though obligatory "I am not a firewall specialist" disclaimer, I'm going off second-hand / my perception when overseeing a forti component of a larger engagement or as the RS consultant alongside the Sec consultant

Otanx

OK, I got you now. Yes ASAs doing termination of Anyconnect Clients are vulnerable. The client itself is not. I just wanted to make sure I didn't miss patching anything. From the new notice it seems the bug is in the underlying XML parser so any features that do XML will be vulnerable. So web, VPN, ASDM, etc.

-Otanx

deanwebb

Quote from: Otanx on February 07, 2018, 09:30:57 AM
OK, I got you now. Yes ASAs doing termination of Anyconnect Clients are vulnerable. The client itself is not. I just wanted to make sure I didn't miss patching anything. From the new notice it seems the bug is in the underlying XML parser so any features that do XML will be vulnerable. So web, VPN, ASDM, etc.

-Otanx


Correct, it's in the hardware end, not the client end. And it's all the hardware, bigger stuff is more vulnerable than the smaller stuff.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.