Slashdot Mirror
Cisco ASA Firewall Has a Wormable Problem — And a Million Installs (csoonline.com)
itwbennett writes: Cisco has published an advisory for a vulnerability with a CVSS (Common Vulnerability Scoring System) score of 10 that was discovered by researchers from Exodus Intelligence. According to the advisory, 'a vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.' As CSO's Dave Lewis points out, 'the part of this that is most pressing is that Cisco claims that there are over a million of these deployed.'
And attackers have not been sitting on their thumbs.
And attackers have not been sitting on their thumbs.
It isn't like the job of a firewall is to keep unauthenticated remote attackers out. The purpose of a Cisco firewall is so Chambers can buy another island. It is your fault for not choosing an Open Source solution.
In our branch office we have two ASA 5505 devices (the small blue boxes), with software versions dating back a couple of years because of 'no support contract with Cisco'.
I have been trying, literally for days, to get a quote for a sw upgrade license, to no avail.
You can not buy it online.
You can not but it from Cisco, you have to go through a reseller.
Resellers simply do not answer any requests for a quote for a single license, because it is not worth their time...
I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version. The price point is not astronomical.
How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???
In our branch office we have two ASA 5505 devices (the small blue boxes), with software versions dating back a couple of years because of 'no support contract with Cisco'.
I have been trying, literally for days, to get a quote for a sw upgrade license, to no avail.
You can not buy it online.
You can not but it from Cisco, you have to go through a reseller.
Resellers simply do not answer any requests for a quote for a single license, because it is not worth their time...
I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version. The price point is not astronomical.
How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???
Replace your ASA's with pfSense boxes (buy them pre-made or make your own). Lifetime updates for free, no support contract needed, and no hidden backdoors, the code is open for inspection. You can buy support if you want it.
>> I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version.
By design.
Man can make it, man can break it. It is a given fact of life to ANY serious engineer in any discipline.
To ignore such a thing is the ultimate range of foolishness and it is also the signal of a superiority complex that cannot be trusted.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Aren't the 5505 ASAs EOL/EOS? Also, they are green, not blue.
How is a RCE a worm? Does the author of this article know what wormable means?
Go away!
Employers never upgrade them until they stop working or when the ports randomly go out
http://saveie6.com/
To be fair, Cisco is handing out free upgrades with this vulnerability. Call TAC, give them your serial number, and a few hours later you should have a download link in your email.
lol timothy, your bias towards cso crap articles is showing again
the other entry explained it much better: http://slashdot.org/submission/5552869/severe-vulnerability-lets-attackers-take-control-of-cisco-vpn-server-equipment
also that article was posted first
also cso just invented the "1 million devices" figure, cisco would never reveal the number of devices it sold, it's basic business sense
cso also made up that a 600gb ddos attack was the biggest in history only to be told by akamai they were wrong, so it's not the first time
also this flaw is not wormable for christ's sake, the exploit does not reproduce to other devices, like worms do
also those cso dummies wrote the article twice, like the professionals they are http://www.csoonline.com/article/3032198/security/cisco-asa-firewall-has-a-wormable-problem.html
and here: http://www.csoonline.com/article/3031389/networking/critical-vpn-key-exchange-flaw-exposes-cisco-security-appliances-to-remote-hacking.html
please stop featuring cso's crap, except steve ragan and lucian constantin, all their editors are shit and a waste of everybody's time
is that the upgrade is not smooth. we have thousands of nats, and the syntax changes, so that'll all have to be redone. Could they give us an 8.2? fuck no. just go to 9.
thanks
BitTorrent.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
I was about to write the same comment after reading the linked Cisco advisory. It's a serious issue, but they do offer free fixes for serious vulnerabilities like this. Please mod parent up.
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
The reason that people use things like Cisco, is that the integration is easier. They then to make it so that enterprise tools can control many devices, versus getting into three or four interfaces on each device to update. All Enterprise vendors try to do this. THAT is why they work well and sell many. With the goal of every IT shop to cut cost constantly, it would be crazy to have 100 firewalls, that need to be maintained, to be handled by one person, in addition to the other 200 switches and routers.
The reason that people use things like Cisco, is that the integration is easier.
The other reason is that they are supposed to be secure. But if you let your SMARTNet subscription lapse and stop applying updates, that's no longer the case. If you're not going to pay for updates for your security device, then use something that will give you free updates.
As much as I love my pfsense box, I'm not sure you're going to be able to build one that's a good replacement for a Cisco ASA with multiple 10GBps+ interaces
*sigh* we are going the other route. After having a rock solid pfsense install for 8 years with zero downtime, our IT manager has decided to purchase a cisco ASA to replace it. Luckily we have a valid support contract and a patch is available as of yesterday for this vuln (i just looked).
The reason for the purchase is that the cisco ASA can do neat things like deep packet inspection, viewing inside ssl encrypted transactions (which should be illegal but hey) and much more monitoring and analytics than we could get with squid. Im sure squid may do these things but it doesnt work out of the box and cisco provides downloads of rule updates and such which work better and do not require one to constantly tweak the device.
I am not saying I agree with the decision, but there is some concern from management that we should be watching traffic more and the cisco asa 5508 with firepower has a literally beautiful user interface and when we saw it demo'ed was quite intuitive. I have not used the device yet because its still in testing, but i do look forward to it based on the demo.
yes you do need to have a relationship with a good VAR to get stuff from cisco, but we buy desk phones and licenses for them all the time so we do have that relationship.
I love pfsense, and like i said it has run our business for 8 years without any downtime. I use it at home as well. Just providing another opinion on why someone would choose cisco over free alternatives.
As a potential lottery winner, I totally support tax cuts for the wealthy
How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???
Cisco doesn't make it easy, but you can get ASA security updates for free (and for their routers too). Read the advisory: https://tools.cisco.com/securi... It says:
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
http://www.cisco.com/en/US/sup...
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
So call or email Cisco TAC (the contact info is at that link) and ask. They will give you the updates.
And since Cisco is so incompetent at selling, they won't even try to sell you a service contract.
I think the phrase the moderator was looking for was sitting on your hands. Sitting on your thumb is something different, entirely.
You don't need to buy anything.
Just call up Cisco TAC, tell them you're affected by this security bug and they'll give you the upgrade. It isn't hard and I've done it many times.
Why do not open source aficionados more often criticize how the firmware of Cisco Systems hardware is not open source? Why is there no worry about backdoors either? There's a lot of yacking about UEFI backdoors, Windows telemetry, NSA surveillance, Facebook datamining... but Cisco seems to get a pass.
As much as I love my pfsense box, I'm not sure you're going to be able to build one that's a good replacement for a Cisco ASA with multiple 10GBps+ interaces
And how many 10 gig interfaces can you put into an ASA 5505?
From Cisco's site it appears they will supply the update but you have to contact support. Haven't tried it yet but might be worth contacting them...
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Just providing another opinion on why someone would choose cisco over free alternatives.
Yes, there are valid reasons to buy an ASA or other Cisco device, but I don't think that anyone with an ASA 5505 with lapsed maintenance that's 2 years out of date bought it for any of those reasons.
Many people buy the low-end Cisco devices because "Hey, it's Cisco, it must be super secure", then they plut it in and put in the corner under a desk and forget about it for years, never looking at it or applying updates until it fails. They'd be much better served by using a pfSense device and setting a calendar reminder every 3 - 6 months to log in and click the "Upgrade" button.
I have a TAC open regarding the reload of my 2 5506's 4 to 5 times in the last 2 weeks, with no answers or suggestion to update the firmware to a later version, just happened again yesterday so im not sure what the solution is, all I know is this is bad for my company...
Ah, I was mixing the 5505 with another device. Looks like that's more of a SOHO device, so rather low powered (and a good candidate for pfsense replacement).
The Swedish version of ASA doesn't use Internet Key Exchange (IKE). It uses
<puts on sunglasses>
IKEA!
Hmm... I had an account (with an expired contract). Does that work or do I actually have to call in for them to send a download link?
You can not buy it online.
You can not but it from Cisco, you have to go through a reseller.
I dumped our ASA in the trash for the same reason. We use a Linux VM for all routing/firewalling, and have never looked back.
BitTorrent.
Download remote code from a stranger to patch a remote code execution vulnerability...
Aren't the 5505 ASAs EOL/EOS?
They still release updates for the 5505.
They'd be much better served by using a pfSense device and setting a calendar reminder every 3 - 6 months to log in and click the "Upgrade" button.
Logging in and clicking? No thanks. I'm not dealing with dozens of remote devices that way. If it can't be automated it is just a hobbyist product.
Just had to deal with a Cisco firewall / VPN that died. The hardware did not die - the firmware was compromised. Someone botched a remote update -- at least that is my best guess. And it was a good thing this happened. After replacing the Cisco device with a generic OpenWRT device, intruder attempts to the local server dropped to zero. Previously there were hundreds of attempts a day. Attempts to track down the malicious network device always came up empty - so I assumed a core network device was responsible but lacked the incentive to identify the specific device.
It is not like I never checked for firmware updates. The Cisco firewall reported the latest firmware with a matching checksum. But this was obviously not the case. I believe the device could have been compromised from day 1. Too bad, it was a well made device (good PCB design, components, etc.). Possibly that MachXO CPLD had a compromised firmware?
They'd be much better served by using a pfSense device and setting a calendar reminder every 3 - 6 months to log in and click the "Upgrade" button.
Logging in and clicking? No thanks. I'm not dealing with dozens of remote devices that way. If it can't be automated it is just a hobbyist product.
You're not a Linux (or BSD, or other unix like OS) admin are you? Everything can be automated.
You can automate it if you trust updates not to break connectivity. Most people would rather be there when it updates so they don't get locked out of their VPN on a long holiday weekend.
I've never had a pfSense update break anything, but I still don't trust it to do unattended upgrades.
If you've got a validation lab where you can test out upgrades before you push them out to remote sites, then you can have it do unattended upgrades automatically.
From people that apparently have never worked in an actual corporate environment and were required to purchase and support certain brands over their own technical opinions.
Glad to see some of you can just tell all the people above you to shove it when they order you to purchase something like Cisco over an open-source solution.
Some of us have to purchase from certain brands due to this thing called company politics.
"viewing inside ssl encrypted transactions (which should be illegal but hey)"
So it has a convenient interface for MITMing SSL sessions... Ugh.
Shit like this is why I'm going to have to nuke my existing public keys & re-exchange them between boxes via sneakernet at some point. Inasfar as it's possible, of course. I can't exactly mail a usb key to the GitHub building with new keys & instructions, can I?
You explicitly said log in and click. That is indicative of not being able to cron or run a script remotely. Either your writing is bad or your understanding is bad. Why should I trust the rest of what you have said?
Seriously. When are people going to stop pushing hurt me buttons with companies treating them like this? It's funny and sad at the same time.
They'd be much better served by using a pfSense device and setting a calendar reminder every 3 - 6 months to log in and click the "Upgrade" button.
Logging in and clicking? No thanks. I'm not dealing with dozens of remote devices that way. If it can't be automated it is just a hobbyist product.
So, you like automated unattended updates? I'm sure nothing could go wrong with that..
You can't buy a software update for your 5505 series devices any longer. They went EOL in 2012. Because you let the SMARTNet contract lapse you have to 'attach' a new SMARTNet subscription and not renew it. The last date to do this for the 5505 appliances was in 2014.
You will not be able to acquire a SMARTNet subscription for these devices any longer. If you need a supported product your replacement would be the ASA-5506X.
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eol_c51-711120.html
You explicitly said log in and click. That is indicative of not being able to cron or run a script remotely. Either your writing is bad or your understanding is bad. Why should I trust the rest of what you have said?
That was my advice to him -- the guy that is using a consumer grade 5505 to protect his office, let his maintenance subscription lapse and the firmware is 2 years out of date.
Being able to log in and click on something is no indicator of whether or not it can be scripted. There are many many tools and products that provide both a GUI and a rich API.
But hey, I'm not trying to sell you anything -- if you can't figure out on your own if a product supports any scripting or remote management, then that's probably a good sign that it's not the right fit for you. But don't try to blame someone else for your own shortcomings when you somehow assume that a 100 word Slashdot post is a complete feature description and that it will describe your own (unstated) use case.
Not YET. However, with the introduction of the 5506/5508, it shouldn't be long.
http://www.cisco.com/c/en/us/s...
Verify the sha/md5 with the mothership.
The "AIP SSC" is EOL. NOT the 5505 itself. (yet)
"viewing inside ssl encrypted transactions (which should be illegal but hey)"
So it has a convenient interface for MITMing SSL sessions... Ugh.
Shit like this is why I'm going to have to nuke my existing public keys & re-exchange them between boxes via sneakernet at some point. Inasfar as it's possible, of course. I can't exactly mail a usb key to the GitHub building with new keys & instructions, can I?
Why?
Unless you think someone is MiMT'ing all of your pathways to the internet, just validate your keys from more than one place - even if your employer managed to manipulate your key when you connect through their internet connection, when you try to use the key (or look at the key fingerprint) from your home internet connection, you'll see that it doesn't match your private key.
Or, when you're uploading keys, don't trust an SSL connection from someone else's computer (even your employers) since the only way they can MiTM SSL is to put their own root cert on your computer.
I work in R&D for a large company that's been a Cisco Gold level partner for 20-something years. Give me some way to contact you and I can probably ping my buddy over in Sales Engineering and get one in a couple of hours if it's a thing that can be gotten (I don't know the first thing about the hardware side of the house, but my friend went from engineering to sales - 'cause money. Can't blame him for doing less work for more pay. Even if I do... often.).
I probably actually have access, but Cisco's site is a disaster to try to navigate and that's just my small part of their dev site. Believe it or not, still better than Avaya's dev/support site. Legit offer if you want to exchange contact info. A couple people on this site have helped me out over the years and I'm fairly sure this is something that I can take care of with an IM and maybe a beer.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
The pfsense C2758 Appliance supports2 x 10GigE interfaces:
https://www.pfsense.org/hardware/
Model C2758
Max Active Connections 8,000,000
Network Interfaces 4x Intel 1GbE
Network Expansion 2x Chelsio 10GbE
Accurate - make sure they give you ASDM as well as the ASA upgrade else you can't use the gui to manage it after you're done with the upgrade.
Do they really give out the hashes with no intention of letting you download the files?
The pfsense C2758 Appliance supports2 x 10GigE interfaces:
https://www.pfsense.org/hardwa...
Model C2758
Max Active Connections 8,000,000
Network Interfaces 4x Intel 1GbE
Network Expansion 2x Chelsio 10GbE
Supporting 10 gig interfaces is not the same as being able to filter 10 gig -- the specs on that box top out around 960Mbit (150mbit VPN) while the standard ASA 5500 line tops out around 4 gbit/second (700mbit VPN).
The 5585-X model line with the dedicated security processor will do up to 80Gbit of inspection and 5 Gbit of VPN. But that performance doesn't come cheap, you'll pay around $150K for each one.
Do they really give out the hashes with no intention of letting you download the files?
Yes. As long as you have a Cisco.com account (free), you can view the filenames/hashes/release notes for all their releases.
I guess even though ASA 8.2 is EoS (and has been for a long time), Cisco has received a sufficient number of requests that they're contemplating patching 8.2 as well. The biggest reason a number of people (my customers included) didn't move to 8.3+ in the first place was: - On almost all platforms, upgrading required a truck roll and downtime to upgrade the memory (read: expensive) - Configs had to be carefully checked after the conversion (8.3 basically reinvented the way the ASA does NAT) because more often than not it broke half your NAT rules. Basically Cisco has forced you to spend a not insignificant amount of time and money to stay on a supported code train. While not unprecedented for Cisco, it's not that common that they change both the memory requirements and the config "paradigm" in a single release. It was double pain and a reason there are still a lot of 8.2 boxes out there. Hopefully they do give us a patched 8.2 release and let the old 5505/5510/5520 live out their days until EoS (December 2017) without having to go through the brutal 8.2 -> 8.3 migration.
At least they give great end user support on pirated firmware updates...