Cisco ASA VPN Vulnerability

[dlots]

just an FYI 9.1(7) might have a bug that causes SNMP to crash it.
https://www.reddit.com/r/networking/comments/45g8dp/heads_up_if_you_are_patching_asas_for_cve20161287/

[routerdork]

just an FYI 9.1(7) might have a bug that causes SNMP to crash it.
https://www.reddit.com/r/networking/comments/45g8dp/heads_up_if_you_are_patching_asas_for_cve20161287/

This is what I was worried about going to such a new release.

[LynK]

im not too worried. the chance that someone knows the few tunnel IPs that we have and can bypass the ACLs is fine. Ya'll be my test dummies . No offense.

[deanwebb]

Well, if those IPs are exposed to the Internet, you'll be your own test dummy. Now, if the ACLs are in front of the ASA, that can be good. But if there's a general exposure of the ASA, a guy with a program sending out compromising code to all IPs in a range would get in. Then, once in, he'll likely take up residency on that firewall. No need to take it down, since it's more valuable in a compromised state.

[routerdork]

So looks like Cisco has released 9.1.6 Interim now too. Reddit has several posts about issues with 9.1.7. I'm thinking I'll just turn the firewalls off and see who notices at this point 

[icecream-guy]

So looks like Cisco has released 9.1.6 Interim now too. Reddit has several posts about issues with 9.1.7. I'm thinking I'll just turn the firewalls off and see who notices at this point 

Yeah, I just got word from my AS guy, recommending backing off 9.1.7 due to stability issues. 9.1.6.11 was just released as a fix.

[Otanx]

8.2.5(59) is also released for those stuck on 8.2, and not wanting to deal with NAT changes.

-Otanx

[routerdork]

8.2.5(59) is also released for those stuck on 8.2, and not wanting to deal with NAT changes.

-Otanx

We've got a pair on 8.2(3) we're trying to decide on right now.

[deanwebb]

8.2.5(59)?

That's not backward-compatibility... that's bend-over-backward compatibility!

[mlan]

I have been running 9.1(7) since last Friday without issue.  We do not have any static NAT config that triggers the new proxy-arp bugfix.  We are also not polling for this SNMP OID and have strict SNMP ACL's:

https://tools.cisco.com/bugsearch/bug/CSCuy27428

That said, I am still considering moving to 9.1(6)11 to avoid the above.  Anybody else?

[wintermute000]

This is all over the shop. Reddit is exploding and I am getting tonnes of anecdotal horror stories from ex-colleagues.
I have a friend who is ex Cisco TAC and his contacts have even worse horror stories... one guy had to handle something like 25 failed upgrade tickets in his working day LOL

[deanwebb]

This is all over the shop. Reddit is exploding and I am getting tonnes of anecdotal horror stories from ex-colleagues.
I have a friend who is ex Cisco TAC and his contacts have even worse horror stories... one guy had to handle something like 25 failed upgrade tickets in his working day LOL

Wow, that's as bad as a worm zero-day outbreak.

[icecream-guy]

We've been hitting CSCuu84697 for a while now, without some sort of fix, or other solution past 9.1(6.11) or 9.1(7) were staying at 9.1(5.19). Here, much research shows that dedicated VPN's are handled buy other devices, and the ASA's with crypto maps applied are AnyConnect. so I think we are safe for today.

[GeorgeS]

it has been a crazy week, last wednesday i finished a project earlier than i was expecting and i was like hmm great i can relax a bit thursday/Friday but instead the bug came!! Till now even i was just disabling vpn, putting control plane ACL and upgrading, i have been pretty lucky and i had no issues with upgrades but we avoided the 9.1.7.x but still so many problems. At least tomorrow i am on vacation and i can enjoy and relax let the rest of the security engineers mess around with the upgrades

[Otanx]

We hit the proxy-arp bug on a few of ours. Probably 4% or so. We just added the no-proxy-arp command to all our NAT statements, and have not had any other problems.

-Otanx