Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Security Bug

Cisco Scrambles To Patch Second Shadow Brokers Bug In Firewalls (onthewire.io) 30

Trailrunner7 writes: Cisco is scrambling to patch another vulnerability in many of its products that was exposed as part of the Shadow Brokers dump last month. The latest vulnerability affects many different products, including all of the Cisco PIX firewalls. The latest weakness lies in the code that Cisco's IOS operating system uses to process IKEv1 packets. IKE is used in the IPSec protocol to help set up security associations, and Cisco uses it in a number of its products. The company said in an advisory that many versions of its IOS operating system are affected, including IOS XE and XR. Cisco does not have patches available for this vulnerability yet, and said there are no workarounds available to protect against attacks either. Many of the products affected by this flaw are older releases and are no longer supported, specifically the PIX firewalls, which haven't been supported since 2009.
This discussion has been archived. No new comments can be posted.

Cisco Scrambles To Patch Second Shadow Brokers Bug In Firewalls

Comments Filter:
  • Bad wording (Score:4, Insightful)

    by campuscodi ( 4234297 ) on Monday September 19, 2016 @02:25PM (#52918281)
    Scrambles is the incorrect term. The exploit has been around for about a month. You "scramble to fix" something in a few hours or days.... not a month after.
    • Re:Bad wording (Score:5, Informative)

      by jellomizer ( 103300 ) on Monday September 19, 2016 @02:29PM (#52918335)

      If you are a company the size of Cisco with so many customers a month is a good scramble. As there are many levels of checks that are needed to be done, before you release it. Because while the flaw is really bad, causing all the customers to have their firewall brick from a bad patch is worse.

      Most of us work on small scale programs, where a downtime or a major problem, isn't nearly a big deal. However with Cisco a problem in deploayment can bring down the entire economy.

      • > As there are many levels of checks that are needed to be done, before you release it. Because while the flaw is really bad, causing all the customers to have their firewall brick from a bad patch is worse. However with Cisco a problem in deployment can bring down the entire economy.

        Yeah Cisco equipment basically run the internet backbones, as well as the internal networks of most major companies. At Cisco you don't release a new firmware quickly and hope it's okay; you make damn sure it's not going g

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          You never worked with Cisco firmware. It is often very difficult to obtain both the features you require and the hardware without running into a gotcha re compatibility or bugs. No active maintenance contracts and its often easier and cheaper to replace the entire device. Sad but true !

        • by DarkOx ( 621550 )

          Pulzee Cisco releases firmware with major bugs ALL THE TIME, ask anyone who has run a network of moderate size like at a F500 or something. As soon as you start doing anything moderately complex with a handful of routing protocols, nested VLANS, other tunnels and authentication methods its effectively all 'corner cases' so its not really surprising.

          Actually I am amazed they don't have more problems. Lets not kid ourselves though, bugs even pretty bad ones are common. I myself have been provided with a sp

        • Not using a PIX 5XX they don't.. These things are ANCIENT, far past EOL. You can pick one up for $30-$50. I'm surprised Cisco is even bothering with them. Now, the ASA (depending on the model) might still be under support. But no PIX is and hasn't been for seven years now. If your using a PIX 501 as your company firewall, you deserve to be hacked.
    • If IKE is part of a FIPS-certified crypto implementation, then the new code will have to be recertified.

      Assuming that is the case, Cisco is likely working with its validator to ensure their code will be approved.

      This is in addition to the functional testing that you'd expect for any change to enterprise infrastructure.

      Enterprise vendors don't just bang out a quick fix and pray that it works or gets regulatory approval.

    • Cisco needs to pick up their game [medium.com]. They need to be embarrassed harshly and completely, so they learn to not do this again.
  • by Anonymous Coward

    Had a Pix. Can't say there was much support before 2009 either.

  • This is bad, really bad. It's not just the firewalls that are at issue, but it's also all their routers, if they're running most modern versions of IOS and/or IOS-XE.

    The only thing to do right now is to slam ACLs onto your interfaces to block connections to UDP port 500 and 4500 from anywhere except where the other end of your VPN is coming from.

  • In a sick way, I'm pleased to see Cisco's insistence on weakening KDEv1 has bitten them. The guys working on StrongSWAN or LibreSwan have long made an issue of many of the weakness Cisco & others forced into IPSec (and IKEv1 in particular).

    Not that Cisco is alone in weakening IPsec and marketing it as a desirable feature... but it's sad that anybody has to suffer due to somebody telling an engineer to take off their engineer's hat and put on his manager's hat [google.com]

  • Seriously, we did warn them not to do this.

Keep up the good work! But please don't ask me to help.

Working...