Cisco ASA VPN Vulnerability

Started by deanwebb, February 10, 2016, 01:46:59 PM

Previous topic - Next topic

routerdork

"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

LynK

im not too worried. the chance that someone knows the few tunnel IPs that we have and can bypass the ACLs is fine. Ya'll be my test dummies :). No offense.
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

deanwebb

Well, if those IPs are exposed to the Internet, you'll be your own test dummy. Now, if the ACLs are in front of the ASA, that can be good. But if there's a general exposure of the ASA, a guy with a program sending out compromising code to all IPs in a range would get in. Then, once in, he'll likely take up residency on that firewall. No need to take it down, since it's more valuable in a compromised state.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

routerdork

So looks like Cisco has released 9.1.6 Interim now too. Reddit has several posts about issues with 9.1.7. I'm thinking I'll just turn the firewalls off and see who notices at this point  :wall:
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

icecream-guy

Quote from: routerdork on February 17, 2016, 02:49:23 PM
So looks like Cisco has released 9.1.6 Interim now too. Reddit has several posts about issues with 9.1.7. I'm thinking I'll just turn the firewalls off and see who notices at this point  :wall:

Yeah, I just got word from my AS guy, recommending backing off 9.1.7 due to stability issues. 9.1.6.11 was just released as a fix.
:professorcat:

My Moral Fibers have been cut.

Otanx

8.2.5(59) is also released for those stuck on 8.2, and not wanting to deal with NAT changes.

-Otanx

routerdork

Quote from: Otanx on February 17, 2016, 03:12:48 PM
8.2.5(59) is also released for those stuck on 8.2, and not wanting to deal with NAT changes.

-Otanx
We've got a pair on 8.2(3) we're trying to decide on right now.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

deanwebb

8.2.5(59)?

That's not backward-compatibility... that's bend-over-backward compatibility!

:notbad:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

mlan

I have been running 9.1(7) since last Friday without issue.  We do not have any static NAT config that triggers the new proxy-arp bugfix.  We are also not polling for this SNMP OID and have strict SNMP ACL's:

https://tools.cisco.com/bugsearch/bug/CSCuy27428

That said, I am still considering moving to 9.1(6)11 to avoid the above.  Anybody else?


wintermute000

This is all over the shop. Reddit is exploding and I am getting tonnes of anecdotal horror stories from ex-colleagues.
I have a friend who is ex Cisco TAC and his contacts have even worse horror stories... one guy had to handle something like 25 failed upgrade tickets in his working day LOL

deanwebb

Quote from: wintermute000 on February 17, 2016, 07:02:26 PM
This is all over the shop. Reddit is exploding and I am getting tonnes of anecdotal horror stories from ex-colleagues.
I have a friend who is ex Cisco TAC and his contacts have even worse horror stories... one guy had to handle something like 25 failed upgrade tickets in his working day LOL

Wow, that's as bad as a worm zero-day outbreak.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

We've been hitting CSCuu84697 for a while now, without some sort of fix, or other solution past 9.1(6.11) or 9.1(7) were staying at 9.1(5.19). Here, much research shows that dedicated VPN's are handled buy other devices, and the ASA's with crypto maps applied are AnyConnect. so I think we are safe for today.
:professorcat:

My Moral Fibers have been cut.

GeorgeS

it has been a crazy week, last wednesday i finished a project earlier than i was expecting and i was like hmm great i can relax a bit thursday/Friday but instead the bug came!! Till now even i was just disabling vpn, putting control plane ACL and upgrading, i have been pretty lucky and i had no issues with upgrades but we avoided the 9.1.7.x but still so many problems. At least tomorrow i am on vacation and i can enjoy and relax :D let the rest of the security engineers mess around with the upgrades

Otanx

We hit the proxy-arp bug on a few of ours. Probably 4% or so. We just added the no-proxy-arp command to all our NAT statements, and have not had any other problems.

-Otanx