Your Firepower is on fire!!!!

Started by icecream-guy, March 31, 2016, 07:15:28 AM

Previous topic - Next topic

icecream-guy

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160330-fp

LOL

When will these idiot types of things take Cisco down ?


...improper input validation of fields in HTTP headers...
:professorcat:

My Moral Fibers have been cut.

GeorgeS

cisco at the moment is one of the worst vendors in these things  in my opinion and generally their fw models are far behind from the competition and i am even a cisco guy! Is amazing how many critical bugs have the last years and not just the firewalls, nexus or the 65xx series are full of bugs(all kind of bugs).

But again maybe this is the reason i have a work :D

mmcgurty

I couldn't agree more GeorgeS!  I think someone on here said that 3 days into March and Cisco already had 13 major vulnerabilities.  That is absurd.  We are considering brining on a contract position where I work just to handle upgrades of things because we can't keep up patching with the normal day-to-day work and projects.

deanwebb

HTTP headers... that's like, one of the easiest things to hack.

Don't worry, though, Cisco assures me that they make secure products.
:vendors:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Reggle

Agreed with GeorgeS. I'm happy working with Cisco switches, routers and wireless. But any security stuff should not be left to them anymore.

wintermute000

#5
to be fair Palo is pretty buggy as well but there's a difference between bugs and sec vulnerabilities, plus the palo upgrade routine is super painfree


code quality is definitely on the nose though for the last 3-4 years. The spaghetti code + Cisco organisational bloat / dev teams not cooperating / only running automated testing in isolation is definitely starting to bite. Bet you aspiringnetworker is lurking somewhere with that lovely Arista diagram where all their modules point back to a central sysdb vs the cisco spaghetti module mess

Dieselboy

FFS Cisco!

:developers:

I updated to 6.0.1 a few days after it was available as it had a fix for something else.

Quote
Source
This vulnerability was found and reported to Cisco by Dikla Barda, Liad Mizrachi, and Oded Vanunu from Check Point Security Team.

Might start looking into going back to Checkpoint firewalls,then.

deanwebb

(Looks at source of reports...)

:haha4:

Well done, Checkpoint. Well done.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

GeorgeS

Actually CP have 2 problems.
1)hard disks, if you have a very busy firewall and we speak for a big model ( 100k-200k+ concurrent connections with an average of day 70-100k approx) you should expect issues with the hard disks, cp are writing everything on their hard disks and after some time you will need to replace them, be prepared for that as we know that usually these things do not end well :D . Bluecoat for example has similar issues but the hot swappable on them works like charm. But cp is getting a lot better also, but have in mind that.
2) they need refresh, once per year is good to be rebooted. Many zombies process and goes on. Again the busiest rule applies ;).

To be honest i strongly believe that all devices should be rebooted once per year, at the end of the day you always have a problem and someone (non-networking-related) is pointing that the issue is with my fw, lets failover (no change of course), lets reboot, even though you are 100% that is not the fw and they are too lazy or whatever, are always pointing you like "we had again that issue and it was the fw" "check it again" ...... So you reboot and the issue persists and after some times, Ooo is the server what a surprize.

To go back to your cp comment, always depends if we speak for a site or a big DC.

deanwebb

There's also Palo Alto. I'd rather go with Palo than CP, based on user experiences alone.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

GeorgeS

have worked a bit with palo alto and their PANOS 5, now they are at 6 and i havent touched one for some time. I was really impressed, are miles ahead of the competition. IF we speak for small sites are the best, but they are not so fast as advertised. But overall i agree, they should be the 1st choice of everyone now or one of the 1st choices.

Dieselboy

I guess after 1 year without a reboot would there be an increased potential for bugs to be exhibited?
To be honest, after 1 year you've probably got a whole load of security vulnerabilities discovered anyway.