Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Networking Worms

Cisco ASA Firewall Has a Wormable Problem — And a Million Installs (csoonline.com) 78

itwbennett writes: Cisco has published an advisory for a vulnerability with a CVSS (Common Vulnerability Scoring System) score of 10 that was discovered by researchers from Exodus Intelligence. According to the advisory, 'a vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.' As CSO's Dave Lewis points out, 'the part of this that is most pressing is that Cisco claims that there are over a million of these deployed.'
And attackers have not been sitting on their thumbs.
This discussion has been archived. No new comments can be posted.

Cisco ASA Firewall Has a Wormable Problem — And a Million Installs

Comments Filter:
  • Who cares? (Score:3, Insightful)

    by 110010001000 ( 697113 ) on Thursday February 11, 2016 @11:46AM (#51487545) Homepage Journal
    It isn't like the job of a firewall is to keep unauthenticated remote attackers out. The purpose of a Cisco firewall is so Chambers can buy another island. It is your fault for not choosing an Open Source solution.
    • Re:Who cares? (Score:5, Interesting)

      by 110010001000 ( 697113 ) on Thursday February 11, 2016 @12:07PM (#51487735) Homepage Journal
      Not sure why this is marked as a troll. It is 100% true: use pfSense, not Cisco. Use an Open Source solution that doesn't require a "support contract" to get fixes to THEIR software they sold you. The only reason to use Cisco Firewalls is to make Cisco rich.
      • Like the old saying goes..."Nobody ever got fired for buying Cisco."

      • Nothing against pfSense, but how well does it scale for organizations with 10s or 100s of thousands of users?

      • Not sure why this is marked as a troll. It is 100% true: use pfSense, not Cisco. Use an Open Source solution that doesn't require a "support contract" to get fixes to THEIR software they sold you. The only reason to use Cisco Firewalls is to make Cisco rich.

        When you tell me that you can support 100 million concurrent sessions and 2Tbps of firewalling throughput across a pfsense firewall then I'll be able to go to my customers and say there is no longer a need to pay enormous amounts of money for a firewall.
        https://www.juniper.net/us/en/... [juniper.net]

        Granted Cisco doesn't have anything even remotely close to this Juniper box in performance but the overall point is that pfsense isn't a replacement for high end firewalls at this point in time.

    • If it's 'wormable' then can't they write a worm that goes out and fixes the problem?

  • by Anonymous Coward on Thursday February 11, 2016 @11:53AM (#51487603)

    In our branch office we have two ASA 5505 devices (the small blue boxes), with software versions dating back a couple of years because of 'no support contract with Cisco'.
    I have been trying, literally for days, to get a quote for a sw upgrade license, to no avail.

    You can not buy it online.
    You can not but it from Cisco, you have to go through a reseller.
    Resellers simply do not answer any requests for a quote for a single license, because it is not worth their time...

    I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version. The price point is not astronomical.

    How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???

    • by hawguy ( 1600213 ) on Thursday February 11, 2016 @11:58AM (#51487653)

      In our branch office we have two ASA 5505 devices (the small blue boxes), with software versions dating back a couple of years because of 'no support contract with Cisco'.
      I have been trying, literally for days, to get a quote for a sw upgrade license, to no avail.

      You can not buy it online.
      You can not but it from Cisco, you have to go through a reseller.
      Resellers simply do not answer any requests for a quote for a single license, because it is not worth their time...

      I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version. The price point is not astronomical.

      How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???

      Replace your ASA's with pfSense boxes [pfsense.org] (buy them pre-made or make your own). Lifetime updates for free, no support contract needed, and no hidden backdoors, the code is open for inspection. You can buy support if you want it.

      • by phorm ( 591458 )

        As much as I love my pfsense box, I'm not sure you're going to be able to build one that's a good replacement for a Cisco ASA with multiple 10GBps+ interaces

        • by hawguy ( 1600213 )

          As much as I love my pfsense box, I'm not sure you're going to be able to build one that's a good replacement for a Cisco ASA with multiple 10GBps+ interaces

          And how many 10 gig interfaces can you put into an ASA 5505?

          • by phorm ( 591458 )

            Ah, I was mixing the 5505 with another device. Looks like that's more of a SOHO device, so rather low powered (and a good candidate for pfsense replacement).

        • by Anonymous Coward

          The pfsense C2758 Appliance supports2 x 10GigE interfaces:
          https://www.pfsense.org/hardware/
          Model C2758
          Max Active Connections 8,000,000
          Network Interfaces 4x Intel 1GbE
          Network Expansion 2x Chelsio 10GbE

          • by hawguy ( 1600213 )

            The pfsense C2758 Appliance supports2 x 10GigE interfaces:
            https://www.pfsense.org/hardwa... [pfsense.org]
            Model C2758
            Max Active Connections 8,000,000
            Network Interfaces 4x Intel 1GbE
            Network Expansion 2x Chelsio 10GbE

            Supporting 10 gig interfaces is not the same as being able to filter 10 gig -- the specs on that box top out around 960Mbit (150mbit VPN) [pfsense.org] while the standard ASA 5500 line tops out around 4 gbit/second (700mbit VPN). [cisco.com]

            The 5585-X model line with the dedicated security processor will do up to 80Gbit of inspection and 5 Gbit of VPN. But that performance doesn't come cheap, you'll pay around $150K for each one.

      • by citylivin ( 1250770 ) on Thursday February 11, 2016 @12:32PM (#51487939)

        *sigh* we are going the other route. After having a rock solid pfsense install for 8 years with zero downtime, our IT manager has decided to purchase a cisco ASA to replace it. Luckily we have a valid support contract and a patch is available as of yesterday for this vuln (i just looked).

        The reason for the purchase is that the cisco ASA can do neat things like deep packet inspection, viewing inside ssl encrypted transactions (which should be illegal but hey) and much more monitoring and analytics than we could get with squid. Im sure squid may do these things but it doesnt work out of the box and cisco provides downloads of rule updates and such which work better and do not require one to constantly tweak the device.

        I am not saying I agree with the decision, but there is some concern from management that we should be watching traffic more and the cisco asa 5508 with firepower has a literally beautiful user interface and when we saw it demo'ed was quite intuitive. I have not used the device yet because its still in testing, but i do look forward to it based on the demo.

        yes you do need to have a relationship with a good VAR to get stuff from cisco, but we buy desk phones and licenses for them all the time so we do have that relationship.

        I love pfsense, and like i said it has run our business for 8 years without any downtime. I use it at home as well. Just providing another opinion on why someone would choose cisco over free alternatives.

        • by hawguy ( 1600213 )

          Just providing another opinion on why someone would choose cisco over free alternatives.

          Yes, there are valid reasons to buy an ASA or other Cisco device, but I don't think that anyone with an ASA 5505 with lapsed maintenance that's 2 years out of date bought it for any of those reasons.

          Many people buy the low-end Cisco devices because "Hey, it's Cisco, it must be super secure", then they plut it in and put in the corner under a desk and forget about it for years, never looking at it or applying updates until it fails. They'd be much better served by using a pfSense device and setting a calenda

      • Seriously. When are people going to stop pushing hurt me buttons with companies treating them like this? It's funny and sad at the same time.
    • >> I am at the point where I'm ready to buy new boxes, just because they come with the latest sw version.

      By design.

    • by dills ( 102733 ) on Thursday February 11, 2016 @12:08PM (#51487747) Homepage

      To be fair, Cisco is handing out free upgrades with this vulnerability. Call TAC, give them your serial number, and a few hours later you should have a download link in your email.

    • BitTorrent.

      • BitTorrent.

        Download remote code from a stranger to patch a remote code execution vulnerability...

        • by Cramer ( 69040 )

          Verify the sha/md5 with the mothership.

          • Do they really give out the hashes with no intention of letting you download the files?

            • by giesen ( 820885 )

              Do they really give out the hashes with no intention of letting you download the files?

              Yes. As long as you have a Cisco.com account (free), you can view the filenames/hashes/release notes for all their releases.

    • You can not buy it online.
      You can not but it from Cisco, you have to go through a reseller.

      I dumped our ASA in the trash for the same reason. We use a Linux VM for all routing/firewalling, and have never looked back.

    • I work in R&D for a large company that's been a Cisco Gold level partner for 20-something years. Give me some way to contact you and I can probably ping my buddy over in Sales Engineering and get one in a couple of hours if it's a thing that can be gotten (I don't know the first thing about the hardware side of the house, but my friend went from engineering to sales - 'cause money. Can't blame him for doing less work for more pay. Even if I do... often.).

      I probably actually have access, but Cisco'
  • Man can make it, man can break it. It is a given fact of life to ANY serious engineer in any discipline.

    To ignore such a thing is the ultimate range of foolishness and it is also the signal of a superiority complex that cannot be trusted.

  • How is a RCE a worm? Does the author of this article know what wormable means?
  • Employers never upgrade them until they stop working or when the ports randomly go out

  • Why do not open source aficionados more often criticize how the firmware of Cisco Systems hardware is not open source? Why is there no worry about backdoors either? There's a lot of yacking about UEFI backdoors, Windows telemetry, NSA surveillance, Facebook datamining... but Cisco seems to get a pass.
  • by Anonymous Coward on Thursday February 11, 2016 @12:59PM (#51488227)

    From Cisco's site it appears they will supply the update but you have to contact support. Haven't tried it yet but might be worth contacting them...

    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
    http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

    Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

  • by Anonymous Coward on Thursday February 11, 2016 @01:38PM (#51488685)

    The Swedish version of ASA doesn't use Internet Key Exchange (IKE). It uses

    <puts on sunglasses>

    IKEA!

  • Just had to deal with a Cisco firewall / VPN that died. The hardware did not die - the firmware was compromised. Someone botched a remote update -- at least that is my best guess. And it was a good thing this happened. After replacing the Cisco device with a generic OpenWRT device, intruder attempts to the local server dropped to zero. Previously there were hundreds of attempts a day. Attempts to track down the malicious network device always came up empty - so I assumed a core network device was res

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...