Cisco Scrambles To Patch Second Shadow Brokers Bug In Firewalls

Trailrunner7 writes: Cisco is scrambling to patch another vulnerability in many of its products that was exposed as part of the Shadow Brokers dump last month. The latest vulnerability affects many different products, including all of the Cisco PIX firewalls. The latest weakness lies in the code that Cisco's IOS operating system uses to process IKEv1 packets. IKE is used in the IPSec protocol to help set up security associations, and Cisco uses it in a number of its products. The company said in an advisory that many versions of its IOS operating system are affected, including IOS XE and XR. Cisco does not have patches available for this vulnerability yet, and said there are no workarounds available to protect against attacks either. Many of the products affected by this flaw are older releases and are no longer supported, specifically the PIX firewalls, which haven't been supported since 2009.

Egg on face?

YES!

Re:Egg on face?

[flyingfsck]

Holy firewalls.
I'll be here all week folks.

Bad wording

[campuscodi]

Scrambles is the incorrect term. The exploit has been around for about a month. You "scramble to fix" something in a few hours or days.... not a month after.

Re:Bad wording

[jellomizer]

If you are a company the size of Cisco with so many customers a month is a good scramble. As there are many levels of checks that are needed to be done, before you release it. Because while the flaw is really bad, causing all the customers to have their firewall brick from a bad patch is worse.

Most of us work on small scale programs, where a downtime or a major problem, isn't nearly a big deal. However with Cisco a problem in deploayment can bring down the entire economy.

Re:Bad wording

[EndlessNameless]

If IKE is part of a FIPS-certified crypto implementation, then the new code will have to be recertified.

Assuming that is the case, Cisco is likely working with its validator to ensure their code will be approved.

This is in addition to the functional testing that you'd expect for any change to enterprise infrastructure.

Enterprise vendors don't just bang out a quick fix and pray that it works or gets regulatory approval.

Re:Bad wording

[XparXnoiaX]

Cisco needs to pick up their game. They need to be embarrassed harshly and completely, so they learn to not do this again.

Re:Bad wording

"problem in deploayment": noun phrase. Issue with setup (see deployment) or payment of rent (see licensing) of computer equipment, software or related assets. "Our deploayment was late so the project failed."

PIX EOL

PIX has been end of life for 7 years now. The Cisco ASA code doesn't seem to be affected by this vulnerability. But the Cisco IOS code train does appear to be. Be good steward and lock down your ipsec tunnels with ACLs.

Re:PIX EOL

[LostMyBeaver]

Or configure your IPSEC properly with IKEv2. The best fix is to EOL v1

No support for Pix since 2009?

Had a Pix. Can't say there was much support before 2009 either.

Re:No support for Pix since 2009?

MOD PARENT UP.

Not just Firewalls, Routers too.

[Strider-]

This is bad, really bad. It's not just the firewalls that are at issue, but it's also all their routers, if they're running most modern versions of IOS and/or IOS-XE.

The only thing to do right now is to slam ACLs onto your interfaces to block connections to UDP port 500 and 4500 from anywhere except where the other end of your VPN is coming from.

yes, the level of testing / stability

[raymorris]

> As there are many levels of checks that are needed to be done, before you release it. Because while the flaw is really bad, causing all the customers to have their firewall brick from a bad patch is worse. However with Cisco a problem in deployment can bring down the entire economy.

Yeah Cisco equipment basically run the internet backbones, as well as the internal networks of most major companies. At Cisco you don't release a new firmware quickly and hope it's okay; you make damn sure it's not going going to brick or otherwise seriously mess up before you release it.

Re:yes, the level of testing / stability

You never worked with Cisco firmware. It is often very difficult to obtain both the features you require and the hardware without running into a gotcha re compatibility or bugs. No active maintenance contracts and its often easier and cheaper to replace the entire device. Sad but true !

Re:yes, the level of testing / stability

[DarkOx]

Pulzee Cisco releases firmware with major bugs ALL THE TIME, ask anyone who has run a network of moderate size like at a F500 or something. As soon as you start doing anything moderately complex with a handful of routing protocols, nested VLANS, other tunnels and authentication methods its effectively all 'corner cases' so its not really surprising.

Actually I am amazed they don't have more problems. Lets not kid ourselves though, bugs even pretty bad ones are common. I myself have been provided with a special engineering build or two along the way after some long TAC calls. Cisco does a good job but shit happens.

Re:yes, the level of testing / stability

[l0n3s0m3phr34k]

Not using a PIX 5XX they don't.. These things are ANCIENT, far past EOL. You can pick one up for $30-$50. I'm surprised Cisco is even bothering with them. Now, the ASA (depending on the model) might still be under support. But no PIX is and hasn't been for seven years now. If your using a PIX 501 as your company firewall, you deserve to be hacked.

Re:yes, the level of testing / stability

Where did this myth about Cisco running the "backbone of the Internet" come from. Cisco has a market share of 10%. Fortinet and Juniper will almost certainly surpass it. Huawei has a bigger market share than Cisco. Just stop it with this "backbone" shit! Cisco never had a dominant position. Check your stats.

Re: yes, the level of testing / stability

[buchanmilne]

Sure, maybe Fortinet has market share in the "internet backbone" business, of you consider firewalls to be the backbone of the internet.

However, most people consider routers to be the backbone of the internet, and in that segment the players are (in approximate order of market share) Cisco, Juniper, Alcatel-Lucent/Nokia, Huawei, Extreme Networks (and then the other 4).

High-end firewalls can handle about 100Gbps peak, fully-specced core routers can route in region of 10Tbps (depending on which vendor) or more.

Finally came back to bite Cisco

[sl3xd]

In a sick way, I'm pleased to see Cisco's insistence on weakening KDEv1 has bitten them. The guys working on StrongSWAN or LibreSwan have long made an issue of many of the weakness Cisco & others forced into IPSec (and IKEv1 in particular).

Not that Cisco is alone in weakening IPsec and marketing it as a desirable feature... but it's sad that anybody has to suffer due to somebody telling an engineer to take off their engineer's hat and put on his manager's hat

Re:Finally came back to bite Cisco

[sl3xd]

Ugh.. autocorrect strikes again. IKEv1, not KDEv1.

Just use Linux

I just use a desktop with 6 network cards (including the on-board one) with Linux as a firewall. No VLANs, just physically separated subnets. Why would anyone use some proprietary, closed-source, firewall with both badly implemented manufacturer and government back doors?

Re:Just use Linux

So what software do you use? Most firewall/router software doesn't seem to be designed to easily configure 6 separate interfaces, more like about 3.

Re: Just use Linux

Use OpenBSD and PF, have as many as you need/want.

I had a buddy setup a firewall up with 4 interfaces. 2 in 2 out, bridged together.

Re:Just use Linux

The fact that you're even asking this question is a 100% guarantee that you've never run an enterprise network.

Why the NSA should not have hidden zero day

[WillAffleckUW]

Seriously, we did warn them not to do this.

Juniper: 16%-22% and falling. Cisco 49%-59%

[raymorris]

The exact numbers vary by source, but all sources agree that Cisco's market share in ISPs, in core, and in enterprise are all about three times as much as Juniper.

http://www.forbes.com/sites/gr...

Maintenance contract needed.....?

What is the status of getting bug fixes images?

Cisco are such knobs now and won't give you anything unless you have a maintenance contract.. It would be great if they lave all this buggy code out there, and they leave us all to wonder if we have the buggy images every time we Cisco box....

Bug??? in Crypto mechanism???

Like heartbleed eh?

uhuh. lol.