Cisco ASA Firewall Has a Wormable Problem — And a Million Installs

itwbennett writes: Cisco has published an advisory for a vulnerability with a CVSS (Common Vulnerability Scoring System) score of 10 that was discovered by researchers from Exodus Intelligence. According to the advisory, 'a vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.' As CSO's Dave Lewis points out, 'the part of this that is most pressing is that Cisco claims that there are over a million of these deployed.'
And attackers have not been sitting on their thumbs.

Re:Who cares?

[110010001000]

Not sure why this is marked as a troll. It is 100% true: use pfSense, not Cisco. Use an Open Source solution that doesn't require a "support contract" to get fixes to THEIR software they sold you. The only reason to use Cisco Firewalls is to make Cisco rich.

Re:Great! Now if only they would make upgrades eas

[citylivin]

*sigh* we are going the other route. After having a rock solid pfsense install for 8 years with zero downtime, our IT manager has decided to purchase a cisco ASA to replace it. Luckily we have a valid support contract and a patch is available as of yesterday for this vuln (i just looked).

The reason for the purchase is that the cisco ASA can do neat things like deep packet inspection, viewing inside ssl encrypted transactions (which should be illegal but hey) and much more monitoring and analytics than we could get with squid. Im sure squid may do these things but it doesnt work out of the box and cisco provides downloads of rule updates and such which work better and do not require one to constantly tweak the device.

I am not saying I agree with the decision, but there is some concern from management that we should be watching traffic more and the cisco asa 5508 with firepower has a literally beautiful user interface and when we saw it demo'ed was quite intuitive. I have not used the device yet because its still in testing, but i do look forward to it based on the demo.

yes you do need to have a relationship with a good VAR to get stuff from cisco, but we buy desk phones and licenses for them all the time so we do have that relationship.

I love pfsense, and like i said it has run our business for 8 years without any downtime. I use it at home as well. Just providing another opinion on why someone would choose cisco over free alternatives.