Cisco ASA VPN Vulnerability

Started by deanwebb, February 10, 2016, 01:46:59 PM

Previous topic - Next topic

routerdork

It looks like we are going to stick with our current code trains and go to the Interim fixes for now. Then we can plan our 8.2 upgrades for later on and the newer guys we may or may not upgrade later on.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

bertschs

Well last weekend sure was fun.  Hundreds of ASAs upgraded (MSP).

Soo many customers still on 8.2.  I was both happy and sad that Cisco came out with 8.2(5.59).   Kick the can down the road, I guess.

I can't wait for Cisco to figure out which of their products are vulnerable to CVE-2015-7547.


mlan

#32
Quote from: bertschs on February 18, 2016, 08:45:17 PM
I can't wait for Cisco to figure out which of their products are vulnerable to CVE-2015-7547.
We are very likely to have a large Unity farm to patch now.

edit:typo

deanwebb

Got this on the Full-Disclosure list:

This is message serves as Cisco PSIRT's response to Juan Sacco's post on Febuary 17 regarding a zero-day exploit on the Cisco ASA.

We would like to thank Juan for reporting these issues to Cisco a couple of weeks ago.
We greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in product reports.

Juan's original post is available in the Full Disclosure archives at:
http://seclists.org/fulldisclosure/2016/Feb/82
   
Cisco confirms there is a cross site scripting vulnerability in the webVPN interface of ASA's running software versions prior to 8.4(7) and 9.1(3).

We have verified this issue was published as CVE-2014-2120 and more information is available in cisco bug ID: CSCun19025 (available at:
https://tools.cisco.com/bugsearch/bug/CSCun19025.)

Cisco previously published a security notice on this vulnerability which is available at:
https://tools.cisco.com/security/center/viewAlert.x?alertId=33406.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

routerdork

We've been working like crazy to get code tested and customers notified. Did my first round of ASA upgrades tonight and all went well. Got one more HA pair that is a mess. The Active unit hasn't been reloaded in over 4 years. Random things don't work on it like ASDM. And the Standby unit randomly says it dropped out and reloaded. Feels like the calm before the storm.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

Dieselboy

Quote from: wintermute000 on February 11, 2016, 04:24:26 AM
Its times like these I sacrifice another goat to the career gods for getting me out of MSPs / operations. If you patched everything everytime there was a critical vulnerability you'd probably still tie up several people full-time in a large organisation, let alone all the ITIL paperwork and arranging for outage window and the that one time in ten that it goes completely haywire (*COUGH VSS ISSU COUGH*).
It's times like this I'm grateful that I work for a small company, and I'm the only network guy. There are of course many times I'm not grateful :)
Quote from: wintermute000 on February 11, 2016, 04:24:26 AM
Having said that Cisco is definitely not on a good run, there have been a stream of ridiculous sev 1s last few weeks on a bunch of security and/or heavily exposed products (ISE, WLCs etc.)

I know what you mean. It's a struggle getting support lately! The TAC engineers apologise and say they have too much work.

Dieselboy

Our code is on 9.3 so we're okay for the moment from what I can see.
Thanks for posting this. I need to sort out my Cisco alerts again as they withdraw them after a while.

icecream-guy

youse guys that went to 9.1(7), Cisco is telling me that it was pulled from the download site. just looked ... not there now.
:professorcat:

My Moral Fibers have been cut.

Otanx

Quote from: ristau5741 on February 26, 2016, 11:15:06 AM
youse guys that went to 9.1(7), Cisco is telling me that it was pulled from the download site. just looked ... not there now.

Yep, we had one firewall that kept hitting one of the bugs, and required a reboot every time. We repatched again with the 9.1(6)11 that they released. No more problems.

-Otanx

wintermute000

danger will robinson. Vanilla 9.1(7) (one of the early 'fixed' releases anyway, might want to double check LOL) was packed full of weapons grade ebola level bugs. Check the reddit meltdown on that day.
They ended up releasing a fix for that fix ROFL