Cisco ASA Firewall Has a Wormable Problem — And a Million Installs (csoonline.com) 78
itwbennett writes: Cisco has published an advisory for a vulnerability with a CVSS (Common Vulnerability Scoring System) score of 10 that was discovered by researchers from Exodus Intelligence. According to the advisory, 'a vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.' As CSO's Dave Lewis points out, 'the part of this that is most pressing is that Cisco claims that there are over a million of these deployed.'
And attackers have not been sitting on their thumbs.
And attackers have not been sitting on their thumbs.
Who cares? (Score:3, Insightful)
Re:Who cares? (Score:5, Interesting)
Re: (Score:1)
They really don't.
Re: Who cares? (Score:2)
And many of the major upgrades require large configuration rewrites - so enjoy that too.
Re: (Score:2)
Like the old saying goes..."Nobody ever got fired for buying Cisco."
Re: (Score:2)
Nothing against pfSense, but how well does it scale for organizations with 10s or 100s of thousands of users?
Re: (Score:2)
Not sure why this is marked as a troll. It is 100% true: use pfSense, not Cisco. Use an Open Source solution that doesn't require a "support contract" to get fixes to THEIR software they sold you. The only reason to use Cisco Firewalls is to make Cisco rich.
When you tell me that you can support 100 million concurrent sessions and 2Tbps of firewalling throughput across a pfsense firewall then I'll be able to go to my customers and say there is no longer a need to pay enormous amounts of money for a firewall.
https://www.juniper.net/us/en/... [juniper.net]
Granted Cisco doesn't have anything even remotely close to this Juniper box in performance but the overall point is that pfsense isn't a replacement for high end firewalls at this point in time.
Re: (Score:2)
If it's 'wormable' then can't they write a worm that goes out and fixes the problem?
Great! Now if only they would make upgrades easier (Score:5, Informative)
In our branch office we have two ASA 5505 devices (the small blue boxes), with software versions dating back a couple of years because of 'no support contract with Cisco'.
I have been trying, literally for days, to get a quote for a sw upgrade license, to no avail.
You can not buy it online.
You can not but it from Cisco, you have to go through a reseller.
Resellers simply do not answer any requests for a quote for a single license, because it is not worth their time...
I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version. The price point is not astronomical.
How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???
Re:Great! Now if only they would make upgrades eas (Score:5, Informative)
In our branch office we have two ASA 5505 devices (the small blue boxes), with software versions dating back a couple of years because of 'no support contract with Cisco'.
I have been trying, literally for days, to get a quote for a sw upgrade license, to no avail.
You can not buy it online.
You can not but it from Cisco, you have to go through a reseller.
Resellers simply do not answer any requests for a quote for a single license, because it is not worth their time...
I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version. The price point is not astronomical.
How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???
Replace your ASA's with pfSense boxes [pfsense.org] (buy them pre-made or make your own). Lifetime updates for free, no support contract needed, and no hidden backdoors, the code is open for inspection. You can buy support if you want it.
Re: (Score:2)
The reason that people use things like Cisco, is that the integration is easier.
The other reason is that they are supposed to be secure. But if you let your SMARTNet subscription lapse and stop applying updates, that's no longer the case. If you're not going to pay for updates for your security device, then use something that will give you free updates.
Re: (Score:1)
As much as I love my pfsense box, I'm not sure you're going to be able to build one that's a good replacement for a Cisco ASA with multiple 10GBps+ interaces
Re: (Score:2)
As much as I love my pfsense box, I'm not sure you're going to be able to build one that's a good replacement for a Cisco ASA with multiple 10GBps+ interaces
And how many 10 gig interfaces can you put into an ASA 5505?
Re: (Score:1)
Ah, I was mixing the 5505 with another device. Looks like that's more of a SOHO device, so rather low powered (and a good candidate for pfsense replacement).
Re: (Score:1)
The pfsense C2758 Appliance supports2 x 10GigE interfaces:
https://www.pfsense.org/hardware/
Model C2758
Max Active Connections 8,000,000
Network Interfaces 4x Intel 1GbE
Network Expansion 2x Chelsio 10GbE
Re: (Score:2)
The pfsense C2758 Appliance supports2 x 10GigE interfaces:
https://www.pfsense.org/hardwa... [pfsense.org]
Model C2758
Max Active Connections 8,000,000
Network Interfaces 4x Intel 1GbE
Network Expansion 2x Chelsio 10GbE
Supporting 10 gig interfaces is not the same as being able to filter 10 gig -- the specs on that box top out around 960Mbit (150mbit VPN) [pfsense.org] while the standard ASA 5500 line tops out around 4 gbit/second (700mbit VPN). [cisco.com]
The 5585-X model line with the dedicated security processor will do up to 80Gbit of inspection and 5 Gbit of VPN. But that performance doesn't come cheap, you'll pay around $150K for each one.
Re:Great! Now if only they would make upgrades eas (Score:4, Interesting)
*sigh* we are going the other route. After having a rock solid pfsense install for 8 years with zero downtime, our IT manager has decided to purchase a cisco ASA to replace it. Luckily we have a valid support contract and a patch is available as of yesterday for this vuln (i just looked).
The reason for the purchase is that the cisco ASA can do neat things like deep packet inspection, viewing inside ssl encrypted transactions (which should be illegal but hey) and much more monitoring and analytics than we could get with squid. Im sure squid may do these things but it doesnt work out of the box and cisco provides downloads of rule updates and such which work better and do not require one to constantly tweak the device.
I am not saying I agree with the decision, but there is some concern from management that we should be watching traffic more and the cisco asa 5508 with firepower has a literally beautiful user interface and when we saw it demo'ed was quite intuitive. I have not used the device yet because its still in testing, but i do look forward to it based on the demo.
yes you do need to have a relationship with a good VAR to get stuff from cisco, but we buy desk phones and licenses for them all the time so we do have that relationship.
I love pfsense, and like i said it has run our business for 8 years without any downtime. I use it at home as well. Just providing another opinion on why someone would choose cisco over free alternatives.
Re: (Score:2)
Just providing another opinion on why someone would choose cisco over free alternatives.
Yes, there are valid reasons to buy an ASA or other Cisco device, but I don't think that anyone with an ASA 5505 with lapsed maintenance that's 2 years out of date bought it for any of those reasons.
Many people buy the low-end Cisco devices because "Hey, it's Cisco, it must be super secure", then they plut it in and put in the corner under a desk and forget about it for years, never looking at it or applying updates until it fails. They'd be much better served by using a pfSense device and setting a calenda
Re: (Score:2)
They'd be much better served by using a pfSense device and setting a calendar reminder every 3 - 6 months to log in and click the "Upgrade" button.
Logging in and clicking? No thanks. I'm not dealing with dozens of remote devices that way. If it can't be automated it is just a hobbyist product.
You're not a Linux (or BSD, or other unix like OS) admin are you? Everything can be automated.
You can automate it if you trust updates not to break connectivity. Most people would rather be there when it updates so they don't get locked out of their VPN on a long holiday weekend.
I've never had a pfSense update break anything, but I still don't trust it to do unattended upgrades.
If you've got a validation lab where you can test out upgrades before you push them out to remote sites, then you can have it do un
Re: (Score:2)
You explicitly said log in and click. That is indicative of not being able to cron or run a script remotely. Either your writing is bad or your understanding is bad. Why should I trust the rest of what you have said?
That was my advice to him -- the guy that is using a consumer grade 5505 to protect his office, let his maintenance subscription lapse and the firmware is 2 years out of date.
Being able to log in and click on something is no indicator of whether or not it can be scripted. There are many many tools and products that provide both a GUI and a rich API.
But hey, I'm not trying to sell you anything -- if you can't figure out on your own if a product supports any scripting or remote management, then that's probabl
Re: (Score:1)
They'd be much better served by using a pfSense device and setting a calendar reminder every 3 - 6 months to log in and click the "Upgrade" button.
Logging in and clicking? No thanks. I'm not dealing with dozens of remote devices that way. If it can't be automated it is just a hobbyist product.
So, you like automated unattended updates? I'm sure nothing could go wrong with that..
Re: (Score:2)
"viewing inside ssl encrypted transactions (which should be illegal but hey)"
So it has a convenient interface for MITMing SSL sessions... Ugh.
Shit like this is why I'm going to have to nuke my existing public keys & re-exchange them between boxes via sneakernet at some point. Inasfar as it's possible, of course. I can't exactly mail a usb key to the GitHub building with new keys & instructions, can I?
Why?
Unless you think someone is MiMT'ing all of your pathways to the internet, just validate your keys from more than one place - even if your employer managed to manipulate your key when you connect through their internet connection, when you try to use the key (or look at the key fingerprint) from your home internet connection, you'll see that it doesn't match your private key.
Or, when you're uploading keys, don't trust an SSL connection from someone else's computer (even your employers) since the only w
Re: Great! Now if only they would make upgrades ea (Score:1)
Re: (Score:2)
>> I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version.
By design.
Re: (Score:1)
Not YET. However, with the introduction of the 5506/5508, it shouldn't be long.
http://www.cisco.com/c/en/us/s... [cisco.com]
Re:Great! Now if only they would make upgrades eas (Score:5, Informative)
To be fair, Cisco is handing out free upgrades with this vulnerability. Call TAC, give them your serial number, and a few hours later you should have a download link in your email.
Re: Great! Now if only they would make upgrades ea (Score:3)
I was about to write the same comment after reading the linked Cisco advisory. It's a serious issue, but they do offer free fixes for serious vulnerabilities like this. Please mod parent up.
Re: (Score:2)
Accurate - make sure they give you ASDM as well as the ASA upgrade else you can't use the gui to manage it after you're done with the upgrade.
Re: (Score:2)
BitTorrent.
Re: (Score:3)
BitTorrent.
Download remote code from a stranger to patch a remote code execution vulnerability...
Re: (Score:1)
Verify the sha/md5 with the mothership.
Re: (Score:2)
Do they really give out the hashes with no intention of letting you download the files?
Re: (Score:1)
Do they really give out the hashes with no intention of letting you download the files?
Yes. As long as you have a Cisco.com account (free), you can view the filenames/hashes/release notes for all their releases.
Re: (Score:2)
At least they give great end user support on pirated firmware updates...
Re: (Score:2)
You can not buy it online.
You can not but it from Cisco, you have to go through a reseller.
I dumped our ASA in the trash for the same reason. We use a Linux VM for all routing/firewalling, and have never looked back.
Re: (Score:1)
The "AIP SSC" is EOL. NOT the 5505 itself. (yet)
I can probably get that for you (Score:2)
I probably actually have access, but Cisco'
I hope you didn't expect anything different (Score:3)
Man can make it, man can break it. It is a given fact of life to ANY serious engineer in any discipline.
To ignore such a thing is the ultimate range of foolishness and it is also the signal of a superiority complex that cannot be trusted.
lol, wormable he said (Score:1)
Too bad they won't patch older routers (Score:2)
Employers never upgrade them until they stop working or when the ports randomly go out
Cisco gets a pass every time (Score:2)
Update is 'free', even without maintenance (Score:4, Informative)
From Cisco's site it appears they will supply the update but you have to contact support. Haven't tried it yet but might be worth contacting them...
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Swedish Installs of ASA Are Unaffected (Score:3, Funny)
The Swedish version of ASA doesn't use Internet Key Exchange (IKE). It uses
<puts on sunglasses>
IKEA!
Compromised firewalls.. (Score:2)
Just had to deal with a Cisco firewall / VPN that died. The hardware did not die - the firmware was compromised. Someone botched a remote update -- at least that is my best guess. And it was a good thing this happened. After replacing the Cisco device with a generic OpenWRT device, intruder attempts to the local server dropped to zero. Previously there were hundreds of attempts a day. Attempts to track down the malicious network device always came up empty - so I assumed a core network device was res