Slashdot Mirror
Cisco ASA Firewall Has a Wormable Problem — And a Million Installs (csoonline.com)
itwbennett writes: Cisco has published an advisory for a vulnerability with a CVSS (Common Vulnerability Scoring System) score of 10 that was discovered by researchers from Exodus Intelligence. According to the advisory, 'a vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.' As CSO's Dave Lewis points out, 'the part of this that is most pressing is that Cisco claims that there are over a million of these deployed.'
And attackers have not been sitting on their thumbs.
And attackers have not been sitting on their thumbs.
It isn't like the job of a firewall is to keep unauthenticated remote attackers out. The purpose of a Cisco firewall is so Chambers can buy another island. It is your fault for not choosing an Open Source solution.
In our branch office we have two ASA 5505 devices (the small blue boxes), with software versions dating back a couple of years because of 'no support contract with Cisco'.
I have been trying, literally for days, to get a quote for a sw upgrade license, to no avail.
You can not buy it online.
You can not but it from Cisco, you have to go through a reseller.
Resellers simply do not answer any requests for a quote for a single license, because it is not worth their time...
I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version. The price point is not astronomical.
How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???
In our branch office we have two ASA 5505 devices (the small blue boxes), with software versions dating back a couple of years because of 'no support contract with Cisco'.
I have been trying, literally for days, to get a quote for a sw upgrade license, to no avail.
You can not buy it online.
You can not but it from Cisco, you have to go through a reseller.
Resellers simply do not answer any requests for a quote for a single license, because it is not worth their time...
I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version. The price point is not astronomical.
How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???
Replace your ASA's with pfSense boxes (buy them pre-made or make your own). Lifetime updates for free, no support contract needed, and no hidden backdoors, the code is open for inspection. You can buy support if you want it.
>> I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version.
By design.
Man can make it, man can break it. It is a given fact of life to ANY serious engineer in any discipline.
To ignore such a thing is the ultimate range of foolishness and it is also the signal of a superiority complex that cannot be trusted.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
How is a RCE a worm? Does the author of this article know what wormable means?
Go away!
Employers never upgrade them until they stop working or when the ports randomly go out
http://saveie6.com/
To be fair, Cisco is handing out free upgrades with this vulnerability. Call TAC, give them your serial number, and a few hours later you should have a download link in your email.
BitTorrent.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
I was about to write the same comment after reading the linked Cisco advisory. It's a serious issue, but they do offer free fixes for serious vulnerabilities like this. Please mod parent up.
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
The reason that people use things like Cisco, is that the integration is easier.
The other reason is that they are supposed to be secure. But if you let your SMARTNet subscription lapse and stop applying updates, that's no longer the case. If you're not going to pay for updates for your security device, then use something that will give you free updates.
As much as I love my pfsense box, I'm not sure you're going to be able to build one that's a good replacement for a Cisco ASA with multiple 10GBps+ interaces
*sigh* we are going the other route. After having a rock solid pfsense install for 8 years with zero downtime, our IT manager has decided to purchase a cisco ASA to replace it. Luckily we have a valid support contract and a patch is available as of yesterday for this vuln (i just looked).
The reason for the purchase is that the cisco ASA can do neat things like deep packet inspection, viewing inside ssl encrypted transactions (which should be illegal but hey) and much more monitoring and analytics than we could get with squid. Im sure squid may do these things but it doesnt work out of the box and cisco provides downloads of rule updates and such which work better and do not require one to constantly tweak the device.
I am not saying I agree with the decision, but there is some concern from management that we should be watching traffic more and the cisco asa 5508 with firepower has a literally beautiful user interface and when we saw it demo'ed was quite intuitive. I have not used the device yet because its still in testing, but i do look forward to it based on the demo.
yes you do need to have a relationship with a good VAR to get stuff from cisco, but we buy desk phones and licenses for them all the time so we do have that relationship.
I love pfsense, and like i said it has run our business for 8 years without any downtime. I use it at home as well. Just providing another opinion on why someone would choose cisco over free alternatives.
As a potential lottery winner, I totally support tax cuts for the wealthy
Why do not open source aficionados more often criticize how the firmware of Cisco Systems hardware is not open source? Why is there no worry about backdoors either? There's a lot of yacking about UEFI backdoors, Windows telemetry, NSA surveillance, Facebook datamining... but Cisco seems to get a pass.
As much as I love my pfsense box, I'm not sure you're going to be able to build one that's a good replacement for a Cisco ASA with multiple 10GBps+ interaces
And how many 10 gig interfaces can you put into an ASA 5505?
From Cisco's site it appears they will supply the update but you have to contact support. Haven't tried it yet but might be worth contacting them...
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Just providing another opinion on why someone would choose cisco over free alternatives.
Yes, there are valid reasons to buy an ASA or other Cisco device, but I don't think that anyone with an ASA 5505 with lapsed maintenance that's 2 years out of date bought it for any of those reasons.
Many people buy the low-end Cisco devices because "Hey, it's Cisco, it must be super secure", then they plut it in and put in the corner under a desk and forget about it for years, never looking at it or applying updates until it fails. They'd be much better served by using a pfSense device and setting a calendar reminder every 3 - 6 months to log in and click the "Upgrade" button.
Ah, I was mixing the 5505 with another device. Looks like that's more of a SOHO device, so rather low powered (and a good candidate for pfsense replacement).
The Swedish version of ASA doesn't use Internet Key Exchange (IKE). It uses
<puts on sunglasses>
IKEA!
You can not buy it online.
You can not but it from Cisco, you have to go through a reseller.
I dumped our ASA in the trash for the same reason. We use a Linux VM for all routing/firewalling, and have never looked back.
BitTorrent.
Download remote code from a stranger to patch a remote code execution vulnerability...
Just had to deal with a Cisco firewall / VPN that died. The hardware did not die - the firmware was compromised. Someone botched a remote update -- at least that is my best guess. And it was a good thing this happened. After replacing the Cisco device with a generic OpenWRT device, intruder attempts to the local server dropped to zero. Previously there were hundreds of attempts a day. Attempts to track down the malicious network device always came up empty - so I assumed a core network device was responsible but lacked the incentive to identify the specific device.
It is not like I never checked for firmware updates. The Cisco firewall reported the latest firmware with a matching checksum. But this was obviously not the case. I believe the device could have been compromised from day 1. Too bad, it was a well made device (good PCB design, components, etc.). Possibly that MachXO CPLD had a compromised firmware?
They'd be much better served by using a pfSense device and setting a calendar reminder every 3 - 6 months to log in and click the "Upgrade" button.
Logging in and clicking? No thanks. I'm not dealing with dozens of remote devices that way. If it can't be automated it is just a hobbyist product.
You're not a Linux (or BSD, or other unix like OS) admin are you? Everything can be automated.
You can automate it if you trust updates not to break connectivity. Most people would rather be there when it updates so they don't get locked out of their VPN on a long holiday weekend.
I've never had a pfSense update break anything, but I still don't trust it to do unattended upgrades.
If you've got a validation lab where you can test out upgrades before you push them out to remote sites, then you can have it do unattended upgrades automatically.
Seriously. When are people going to stop pushing hurt me buttons with companies treating them like this? It's funny and sad at the same time.
They'd be much better served by using a pfSense device and setting a calendar reminder every 3 - 6 months to log in and click the "Upgrade" button.
Logging in and clicking? No thanks. I'm not dealing with dozens of remote devices that way. If it can't be automated it is just a hobbyist product.
So, you like automated unattended updates? I'm sure nothing could go wrong with that..
You explicitly said log in and click. That is indicative of not being able to cron or run a script remotely. Either your writing is bad or your understanding is bad. Why should I trust the rest of what you have said?
That was my advice to him -- the guy that is using a consumer grade 5505 to protect his office, let his maintenance subscription lapse and the firmware is 2 years out of date.
Being able to log in and click on something is no indicator of whether or not it can be scripted. There are many many tools and products that provide both a GUI and a rich API.
But hey, I'm not trying to sell you anything -- if you can't figure out on your own if a product supports any scripting or remote management, then that's probably a good sign that it's not the right fit for you. But don't try to blame someone else for your own shortcomings when you somehow assume that a 100 word Slashdot post is a complete feature description and that it will describe your own (unstated) use case.
Not YET. However, with the introduction of the 5506/5508, it shouldn't be long.
http://www.cisco.com/c/en/us/s...
Verify the sha/md5 with the mothership.
The "AIP SSC" is EOL. NOT the 5505 itself. (yet)
"viewing inside ssl encrypted transactions (which should be illegal but hey)"
So it has a convenient interface for MITMing SSL sessions... Ugh.
Shit like this is why I'm going to have to nuke my existing public keys & re-exchange them between boxes via sneakernet at some point. Inasfar as it's possible, of course. I can't exactly mail a usb key to the GitHub building with new keys & instructions, can I?
Why?
Unless you think someone is MiMT'ing all of your pathways to the internet, just validate your keys from more than one place - even if your employer managed to manipulate your key when you connect through their internet connection, when you try to use the key (or look at the key fingerprint) from your home internet connection, you'll see that it doesn't match your private key.
Or, when you're uploading keys, don't trust an SSL connection from someone else's computer (even your employers) since the only way they can MiTM SSL is to put their own root cert on your computer.
I work in R&D for a large company that's been a Cisco Gold level partner for 20-something years. Give me some way to contact you and I can probably ping my buddy over in Sales Engineering and get one in a couple of hours if it's a thing that can be gotten (I don't know the first thing about the hardware side of the house, but my friend went from engineering to sales - 'cause money. Can't blame him for doing less work for more pay. Even if I do... often.).
I probably actually have access, but Cisco's site is a disaster to try to navigate and that's just my small part of their dev site. Believe it or not, still better than Avaya's dev/support site. Legit offer if you want to exchange contact info. A couple people on this site have helped me out over the years and I'm fairly sure this is something that I can take care of with an IM and maybe a beer.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
The pfsense C2758 Appliance supports2 x 10GigE interfaces:
https://www.pfsense.org/hardware/
Model C2758
Max Active Connections 8,000,000
Network Interfaces 4x Intel 1GbE
Network Expansion 2x Chelsio 10GbE
Accurate - make sure they give you ASDM as well as the ASA upgrade else you can't use the gui to manage it after you're done with the upgrade.
Do they really give out the hashes with no intention of letting you download the files?
The pfsense C2758 Appliance supports2 x 10GigE interfaces:
https://www.pfsense.org/hardwa...
Model C2758
Max Active Connections 8,000,000
Network Interfaces 4x Intel 1GbE
Network Expansion 2x Chelsio 10GbE
Supporting 10 gig interfaces is not the same as being able to filter 10 gig -- the specs on that box top out around 960Mbit (150mbit VPN) while the standard ASA 5500 line tops out around 4 gbit/second (700mbit VPN).
The 5585-X model line with the dedicated security processor will do up to 80Gbit of inspection and 5 Gbit of VPN. But that performance doesn't come cheap, you'll pay around $150K for each one.
Do they really give out the hashes with no intention of letting you download the files?
Yes. As long as you have a Cisco.com account (free), you can view the filenames/hashes/release notes for all their releases.
At least they give great end user support on pirated firmware updates...