Cisco ASA VPN Vulnerability

Started by deanwebb, February 10, 2016, 01:46:59 PM

Previous topic - Next topic

deanwebb

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

dlots

#1
Thank you
this is gonna hurt! :-D

Nerm


wintermute000

Its times like these I sacrifice another goat to the career gods for getting me out of MSPs / operations. If you patched everything everytime there was a critical vulnerability you'd probably still tie up several people full-time in a large organisation, let alone all the ITIL paperwork and arranging for outage window and the that one time in ten that it goes completely haywire (*COUGH VSS ISSU COUGH*).

Having said that Cisco is definitely not on a good run, there have been a stream of ridiculous sev 1s last few weeks on a bunch of security and/or heavily exposed products (ISE, WLCs etc.)

icecream-guy

just block TCP/UDP on port 500 to your VPN hosts.  THAT should fix things.

SANS says there is a firmware patch out there, but all I've seen is 9.1(7), and that is way to green for me.
(released a few weeks ago on 1/18)

:professorcat:

My Moral Fibers have been cut.

dlots

Upgraded my VPN ASAs this morning at 5:00... it's gonna be a long day :-(

Nerm

The timing of this is really bad. My last day is tomorrow and I am the only ASA "guy" here. We have a lot of clients out there on ASA's luckily only a handful of them are using the ASA's to terminate VPN's.

dlots

Fortinatly unless it's pre 8.3 there isn't alot to upgrading the IOS

icecream-guy

Quote from: dlots on February 11, 2016, 07:47:29 AM
Fortinatly unless it's pre 8.3 there isn't alot to upgrading the IOS

it just all them bugs, "unannounced features", and incompatibilities, that one has to be wary of.

:professorcat:

My Moral Fibers have been cut.

routerdork

Does anyone know how to determine the 4.5 in 9.2(4.5)? I don't see any code releases with that. Is it something to do with the Interim releases?
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

routerdork

Quote from: routerdork on February 11, 2016, 08:37:06 AM
Does anyone know how to determine the 4.5 in 9.2(4.5)? I don't see any code releases with that. Is it something to do with the Interim releases?
Nevermind. Found what I was looking for. It is the Interim releases.
https://supportforums.cisco.com/document/67701/asa-versions-image-names-and-licensing
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

LynK

what are you all upgrading too? All the revisions that we are supposed to upgrade to are interim (sketchy) or have stupid bugs...


sigh.
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

dlots

I am running asa917-k8.bin, 8 hours and no reported issues.

routerdork

I'm thinking 9.1(7) as well. Have a couple that will need a slight downgrade but better than Interim in my book.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

Otanx

Exploit is publicly available with some coding. Get patching. Also remember this is performed over UDP so source addresses can be spoofed to bypass ACLs if the attacker is good.

https://blog.exodusintel.com/2016/02/10/firewall-hacking/

-Otanx