Slashdot Mirror
Cisco ASA Firewall Has a Wormable Problem — And a Million Installs (csoonline.com)
itwbennett writes: Cisco has published an advisory for a vulnerability with a CVSS (Common Vulnerability Scoring System) score of 10 that was discovered by researchers from Exodus Intelligence. According to the advisory, 'a vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.' As CSO's Dave Lewis points out, 'the part of this that is most pressing is that Cisco claims that there are over a million of these deployed.'
And attackers have not been sitting on their thumbs.
And attackers have not been sitting on their thumbs.
It isn't like the job of a firewall is to keep unauthenticated remote attackers out. The purpose of a Cisco firewall is so Chambers can buy another island. It is your fault for not choosing an Open Source solution.
In our branch office we have two ASA 5505 devices (the small blue boxes), with software versions dating back a couple of years because of 'no support contract with Cisco'.
I have been trying, literally for days, to get a quote for a sw upgrade license, to no avail.
You can not buy it online.
You can not but it from Cisco, you have to go through a reseller.
Resellers simply do not answer any requests for a quote for a single license, because it is not worth their time...
I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version. The price point is not astronomical.
How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???
In our branch office we have two ASA 5505 devices (the small blue boxes), with software versions dating back a couple of years because of 'no support contract with Cisco'.
I have been trying, literally for days, to get a quote for a sw upgrade license, to no avail.
You can not buy it online.
You can not but it from Cisco, you have to go through a reseller.
Resellers simply do not answer any requests for a quote for a single license, because it is not worth their time...
I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version. The price point is not astronomical.
How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???
Replace your ASA's with pfSense boxes (buy them pre-made or make your own). Lifetime updates for free, no support contract needed, and no hidden backdoors, the code is open for inspection. You can buy support if you want it.
Man can make it, man can break it. It is a given fact of life to ANY serious engineer in any discipline.
To ignore such a thing is the ultimate range of foolishness and it is also the signal of a superiority complex that cannot be trusted.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
To be fair, Cisco is handing out free upgrades with this vulnerability. Call TAC, give them your serial number, and a few hours later you should have a download link in your email.
I was about to write the same comment after reading the linked Cisco advisory. It's a serious issue, but they do offer free fixes for serious vulnerabilities like this. Please mod parent up.
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
*sigh* we are going the other route. After having a rock solid pfsense install for 8 years with zero downtime, our IT manager has decided to purchase a cisco ASA to replace it. Luckily we have a valid support contract and a patch is available as of yesterday for this vuln (i just looked).
The reason for the purchase is that the cisco ASA can do neat things like deep packet inspection, viewing inside ssl encrypted transactions (which should be illegal but hey) and much more monitoring and analytics than we could get with squid. Im sure squid may do these things but it doesnt work out of the box and cisco provides downloads of rule updates and such which work better and do not require one to constantly tweak the device.
I am not saying I agree with the decision, but there is some concern from management that we should be watching traffic more and the cisco asa 5508 with firepower has a literally beautiful user interface and when we saw it demo'ed was quite intuitive. I have not used the device yet because its still in testing, but i do look forward to it based on the demo.
yes you do need to have a relationship with a good VAR to get stuff from cisco, but we buy desk phones and licenses for them all the time so we do have that relationship.
I love pfsense, and like i said it has run our business for 8 years without any downtime. I use it at home as well. Just providing another opinion on why someone would choose cisco over free alternatives.
As a potential lottery winner, I totally support tax cuts for the wealthy
From Cisco's site it appears they will supply the update but you have to contact support. Haven't tried it yet but might be worth contacting them...
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
The Swedish version of ASA doesn't use Internet Key Exchange (IKE). It uses
<puts on sunglasses>
IKEA!
BitTorrent.
Download remote code from a stranger to patch a remote code execution vulnerability...