Cisco ASA VPN Vulnerability

deanwebb · February 10, 2016, 01:46:59 PM

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

Affects only the ASAs you may have that are running VPNs.

dlots · February 10, 2016, 02:00:13 PM

Thank you
this is gonna hurt! :-D

Nerm · February 10, 2016, 03:15:46 PM

Thanks for the heads up.

wintermute000 · February 11, 2016, 04:24:26 AM

Its times like these I sacrifice another goat to the career gods for getting me out of MSPs / operations. If you patched everything everytime there was a critical vulnerability you'd probably still tie up several people full-time in a large organisation, let alone all the ITIL paperwork and arranging for outage window and the that one time in ten that it goes completely haywire (*COUGH VSS ISSU COUGH*).

Having said that Cisco is definitely not on a good run, there have been a stream of ridiculous sev 1s last few weeks on a bunch of security and/or heavily exposed products (ISE, WLCs etc.)

icecream-guy · February 11, 2016, 06:41:17 AM

just block TCP/UDP on port 500 to your VPN hosts. THAT should fix things.

SANS says there is a firmware patch out there, but all I've seen is 9.1(7), and that is way to green for me.
(released a few weeks ago on 1/18)

dlots · February 11, 2016, 07:09:33 AM

Upgraded my VPN ASAs this morning at 5:00... it's gonna be a long day :-(

Nerm · February 11, 2016, 07:26:03 AM

The timing of this is really bad. My last day is tomorrow and I am the only ASA "guy" here. We have a lot of clients out there on ASA's luckily only a handful of them are using the ASA's to terminate VPN's.

dlots · February 11, 2016, 07:47:29 AM

Fortinatly unless it's pre 8.3 there isn't alot to upgrading the IOS

icecream-guy · February 11, 2016, 08:14:59 AM

Quote from: dlots on February 11, 2016, 07:47:29 AM
Fortinatly unless it's pre 8.3 there isn't alot to upgrading the IOS

it just all them bugs, "unannounced features", and incompatibilities, that one has to be wary of.

routerdork · February 11, 2016, 08:37:06 AM

Does anyone know how to determine the 4.5 in 9.2(4.5)? I don't see any code releases with that. Is it something to do with the Interim releases?

routerdork · February 11, 2016, 08:45:24 AM

Quote from: routerdork on February 11, 2016, 08:37:06 AM
Does anyone know how to determine the 4.5 in 9.2(4.5)? I don't see any code releases with that. Is it something to do with the Interim releases?

Nevermind. Found what I was looking for. It is the Interim releases.
https://supportforums.cisco.com/document/67701/asa-versions-image-names-and-licensing

LynK · February 11, 2016, 12:29:16 PM

what are you all upgrading too? All the revisions that we are supposed to upgrade to are interim (sketchy) or have stupid bugs...

sigh.

dlots · February 11, 2016, 12:59:50 PM

I am running asa917-k8.bin, 8 hours and no reported issues.

routerdork · February 11, 2016, 01:46:13 PM

I'm thinking 9.1(7) as well. Have a couple that will need a slight downgrade but better than Interim in my book.

Otanx · February 11, 2016, 03:16:44 PM

Exploit is publicly available with some coding. Get patching. Also remember this is performed over UDP so source addresses can be spoofed to bypass ACLs if the attacker is good.

https://blog.exodusintel.com/2016/02/10/firewall-hacking/

-Otanx