http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
Affects only the ASAs you may have that are running VPNs.
Thank you
this is gonna hurt! :-D
Thanks for the heads up.
Its times like these I sacrifice another goat to the career gods for getting me out of MSPs / operations. If you patched everything everytime there was a critical vulnerability you'd probably still tie up several people full-time in a large organisation, let alone all the ITIL paperwork and arranging for outage window and the that one time in ten that it goes completely haywire (*COUGH VSS ISSU COUGH*).
Having said that Cisco is definitely not on a good run, there have been a stream of ridiculous sev 1s last few weeks on a bunch of security and/or heavily exposed products (ISE, WLCs etc.)
just block TCP/UDP on port 500 to your VPN hosts. THAT should fix things.
SANS says there is a firmware patch out there, but all I've seen is 9.1(7), and that is way to green for me.
(released a few weeks ago on 1/18)
Upgraded my VPN ASAs this morning at 5:00... it's gonna be a long day :-(
The timing of this is really bad. My last day is tomorrow and I am the only ASA "guy" here. We have a lot of clients out there on ASA's luckily only a handful of them are using the ASA's to terminate VPN's.
Fortinatly unless it's pre 8.3 there isn't alot to upgrading the IOS
Quote from: dlots on February 11, 2016, 07:47:29 AM
Fortinatly unless it's pre 8.3 there isn't alot to upgrading the IOS
it just all them bugs, "unannounced features", and incompatibilities, that one has to be wary of.
Does anyone know how to determine the 4.5 in 9.2(4.5)? I don't see any code releases with that. Is it something to do with the Interim releases?
Quote from: routerdork on February 11, 2016, 08:37:06 AM
Does anyone know how to determine the 4.5 in 9.2(4.5)? I don't see any code releases with that. Is it something to do with the Interim releases?
Nevermind. Found what I was looking for. It is the Interim releases.
https://supportforums.cisco.com/document/67701/asa-versions-image-names-and-licensing
what are you all upgrading too? All the revisions that we are supposed to upgrade to are interim (sketchy) or have stupid bugs...
sigh.
I am running asa917-k8.bin, 8 hours and no reported issues.
I'm thinking 9.1(7) as well. Have a couple that will need a slight downgrade but better than Interim in my book.
Exploit is publicly available with some coding. Get patching. Also remember this is performed over UDP so source addresses can be spoofed to bypass ACLs if the attacker is good.
https://blog.exodusintel.com/2016/02/10/firewall-hacking/
-Otanx
just an FYI 9.1(7) might have a bug that causes SNMP to crash it.
https://www.reddit.com/r/networking/comments/45g8dp/heads_up_if_you_are_patching_asas_for_cve20161287/
Quote from: dlots on February 12, 2016, 01:46:49 PM
just an FYI 9.1(7) might have a bug that causes SNMP to crash it.
https://www.reddit.com/r/networking/comments/45g8dp/heads_up_if_you_are_patching_asas_for_cve20161287/
This is what I was worried about going to such a new release.
im not too worried. the chance that someone knows the few tunnel IPs that we have and can bypass the ACLs is fine. Ya'll be my test dummies :). No offense.
Well, if those IPs are exposed to the Internet, you'll be your own test dummy. Now, if the ACLs are in front of the ASA, that can be good. But if there's a general exposure of the ASA, a guy with a program sending out compromising code to all IPs in a range would get in. Then, once in, he'll likely take up residency on that firewall. No need to take it down, since it's more valuable in a compromised state.
So looks like Cisco has released 9.1.6 Interim now too. Reddit has several posts about issues with 9.1.7. I'm thinking I'll just turn the firewalls off and see who notices at this point :wall:
Quote from: routerdork on February 17, 2016, 02:49:23 PM
So looks like Cisco has released 9.1.6 Interim now too. Reddit has several posts about issues with 9.1.7. I'm thinking I'll just turn the firewalls off and see who notices at this point :wall:
Yeah, I just got word from my AS guy, recommending backing off 9.1.7 due to stability issues. 9.1.6.11 was just released as a fix.
8.2.5(59) is also released for those stuck on 8.2, and not wanting to deal with NAT changes.
-Otanx
Quote from: Otanx on February 17, 2016, 03:12:48 PM
8.2.5(59) is also released for those stuck on 8.2, and not wanting to deal with NAT changes.
-Otanx
We've got a pair on 8.2(3) we're trying to decide on right now.
8.2.5(59)?
That's not backward-compatibility... that's bend-over-backward compatibility!
:notbad:
I have been running 9.1(7) since last Friday without issue. We do not have any static NAT config that triggers the new proxy-arp bugfix. We are also not polling for this SNMP OID and have strict SNMP ACL's:
https://tools.cisco.com/bugsearch/bug/CSCuy27428
That said, I am still considering moving to 9.1(6)11 to avoid the above. Anybody else?
This is all over the shop. Reddit is exploding and I am getting tonnes of anecdotal horror stories from ex-colleagues.
I have a friend who is ex Cisco TAC and his contacts have even worse horror stories... one guy had to handle something like 25 failed upgrade tickets in his working day LOL
Quote from: wintermute000 on February 17, 2016, 07:02:26 PM
This is all over the shop. Reddit is exploding and I am getting tonnes of anecdotal horror stories from ex-colleagues.
I have a friend who is ex Cisco TAC and his contacts have even worse horror stories... one guy had to handle something like 25 failed upgrade tickets in his working day LOL
Wow, that's as bad as a worm zero-day outbreak.
We've been hitting CSCuu84697 for a while now, without some sort of fix, or other solution past 9.1(6.11) or 9.1(7) were staying at 9.1(5.19). Here, much research shows that dedicated VPN's are handled buy other devices, and the ASA's with crypto maps applied are AnyConnect. so I think we are safe for today.
it has been a crazy week, last wednesday i finished a project earlier than i was expecting and i was like hmm great i can relax a bit thursday/Friday but instead the bug came!! Till now even i was just disabling vpn, putting control plane ACL and upgrading, i have been pretty lucky and i had no issues with upgrades but we avoided the 9.1.7.x but still so many problems. At least tomorrow i am on vacation and i can enjoy and relax :D let the rest of the security engineers mess around with the upgrades
We hit the proxy-arp bug on a few of ours. Probably 4% or so. We just added the no-proxy-arp command to all our NAT statements, and have not had any other problems.
-Otanx
It looks like we are going to stick with our current code trains and go to the Interim fixes for now. Then we can plan our 8.2 upgrades for later on and the newer guys we may or may not upgrade later on.
Well last weekend sure was fun. Hundreds of ASAs upgraded (MSP).
Soo many customers still on 8.2. I was both happy and sad that Cisco came out with 8.2(5.59). Kick the can down the road, I guess.
I can't wait for Cisco to figure out which of their products are vulnerable to CVE-2015-7547.
Quote from: bertschs on February 18, 2016, 08:45:17 PM
I can't wait for Cisco to figure out which of their products are vulnerable to CVE-2015-7547.
We are very likely to have a large Unity farm to patch now.
edit:typo
Got this on the Full-Disclosure list:
This is message serves as Cisco PSIRT's response to Juan Sacco's post on Febuary 17 regarding a zero-day exploit on the Cisco ASA.
We would like to thank Juan for reporting these issues to Cisco a couple of weeks ago.
We greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in product reports.
Juan's original post is available in the Full Disclosure archives at:
http://seclists.org/fulldisclosure/2016/Feb/82
Cisco confirms there is a cross site scripting vulnerability in the webVPN interface of ASA's running software versions prior to 8.4(7) and 9.1(3).
We have verified this issue was published as CVE-2014-2120 and more information is available in cisco bug ID: CSCun19025 (available at:
https://tools.cisco.com/bugsearch/bug/CSCun19025.)
Cisco previously published a security notice on this vulnerability which is available at:
https://tools.cisco.com/security/center/viewAlert.x?alertId=33406.
We've been working like crazy to get code tested and customers notified. Did my first round of ASA upgrades tonight and all went well. Got one more HA pair that is a mess. The Active unit hasn't been reloaded in over 4 years. Random things don't work on it like ASDM. And the Standby unit randomly says it dropped out and reloaded. Feels like the calm before the storm.
Quote from: wintermute000 on February 11, 2016, 04:24:26 AM
Its times like these I sacrifice another goat to the career gods for getting me out of MSPs / operations. If you patched everything everytime there was a critical vulnerability you'd probably still tie up several people full-time in a large organisation, let alone all the ITIL paperwork and arranging for outage window and the that one time in ten that it goes completely haywire (*COUGH VSS ISSU COUGH*).
It's times like this I'm grateful that I work for a small company, and I'm the only network guy. There are of course many times I'm not grateful :)
Quote from: wintermute000 on February 11, 2016, 04:24:26 AM
Having said that Cisco is definitely not on a good run, there have been a stream of ridiculous sev 1s last few weeks on a bunch of security and/or heavily exposed products (ISE, WLCs etc.)
I know what you mean. It's a struggle getting support lately! The TAC engineers apologise and say they have too much work.
Our code is on 9.3 so we're okay for the moment from what I can see.
Thanks for posting this. I need to sort out my Cisco alerts again as they withdraw them after a while.
youse guys that went to 9.1(7), Cisco is telling me that it was pulled from the download site. just looked ... not there now.
Quote from: ristau5741 on February 26, 2016, 11:15:06 AM
youse guys that went to 9.1(7), Cisco is telling me that it was pulled from the download site. just looked ... not there now.
Yep, we had one firewall that kept hitting one of the bugs, and required a reboot every time. We repatched again with the 9.1(6)11 that they released. No more problems.
-Otanx
danger will robinson. Vanilla 9.1(7) (one of the early 'fixed' releases anyway, might want to double check LOL) was packed full of weapons grade ebola level bugs. Check the reddit meltdown on that day.
They ended up releasing a fix for that fix ROFL