Cisco ASA VPN Vulnerability

[routerdork]

It looks like we are going to stick with our current code trains and go to the Interim fixes for now. Then we can plan our 8.2 upgrades for later on and the newer guys we may or may not upgrade later on.

[bertschs]

Well last weekend sure was fun.  Hundreds of ASAs upgraded (MSP).

Soo many customers still on 8.2.  I was both happy and sad that Cisco came out with 8.2(5.59).   Kick the can down the road, I guess.

I can't wait for Cisco to figure out which of their products are vulnerable to CVE-2015-7547.

[mlan]

I can't wait for Cisco to figure out which of their products are vulnerable to CVE-2015-7547.

We are very likely to have a large Unity farm to patch now.

edit:typo

[deanwebb]

Got this on the Full-Disclosure list:

This is message serves as Cisco PSIRT's response to Juan Sacco's post on Febuary 17 regarding a zero-day exploit on the Cisco ASA.

We would like to thank Juan for reporting these issues to Cisco a couple of weeks ago.
We greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in product reports.

Juan's original post is available in the Full Disclosure archives at:
http://seclists.org/fulldisclosure/2016/Feb/82
   
Cisco confirms there is a cross site scripting vulnerability in the webVPN interface of ASA's running software versions prior to 8.4(7) and 9.1(3).

We have verified this issue was published as CVE-2014-2120 and more information is available in cisco bug ID: CSCun19025 (available at:
https://tools.cisco.com/bugsearch/bug/CSCun19025.)

Cisco previously published a security notice on this vulnerability which is available at:
https://tools.cisco.com/security/center/viewAlert.x?alertId=33406.

[routerdork]

We've been working like crazy to get code tested and customers notified. Did my first round of ASA upgrades tonight and all went well. Got one more HA pair that is a mess. The Active unit hasn't been reloaded in over 4 years. Random things don't work on it like ASDM. And the Standby unit randomly says it dropped out and reloaded. Feels like the calm before the storm.

[Dieselboy]

Its times like these I sacrifice another goat to the career gods for getting me out of MSPs / operations. If you patched everything everytime there was a critical vulnerability you'd probably still tie up several people full-time in a large organisation, let alone all the ITIL paperwork and arranging for outage window and the that one time in ten that it goes completely haywire (*COUGH VSS ISSU COUGH*).

It's times like this I'm grateful that I work for a small company, and I'm the only network guy. There are of course many times I'm not grateful

Having said that Cisco is definitely not on a good run, there have been a stream of ridiculous sev 1s last few weeks on a bunch of security and/or heavily exposed products (ISE, WLCs etc.)

I know what you mean. It's a struggle getting support lately! The TAC engineers apologise and say they have too much work.

[Dieselboy]

Our code is on 9.3 so we're okay for the moment from what I can see.
Thanks for posting this. I need to sort out my Cisco alerts again as they withdraw them after a while.

[icecream-guy]

youse guys that went to 9.1(7), Cisco is telling me that it was pulled from the download site. just looked ... not there now.

[Otanx]

youse guys that went to 9.1(7), Cisco is telling me that it was pulled from the download site. just looked ... not there now.

Yep, we had one firewall that kept hitting one of the bugs, and required a reboot every time. We repatched again with the 9.1(6)11 that they released. No more problems.

-Otanx

[wintermute000]

danger will robinson. Vanilla 9.1(7) (one of the early 'fixed' releases anyway, might want to double check LOL) was packed full of weapons grade ebola level bugs. Check the reddit meltdown on that day.
They ended up releasing a fix for that fix ROFL