
Cisco buffer overflow vulnerability with remote code execution - silenteh
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
======
silenteh
Here a nice explanation of the vulnerability:
[https://blog.exodusintel.com/2016/02/10/firewall-
hacking/](https://blog.exodusintel.com/2016/02/10/firewall-hacking/)

There is also a Snort signature to detect attempts to exploit this
vulnerability.

------
madsushi
Cisco was also rushed to release the fix, as all of the new builds are tagged
'interim' and warn users that they have bugs and stability problems that will
be fixed later. Most notably, several issues with ASA Clustering were found in
the new builds. So you're damned if you do, damned if you don't.

------
tyingq
Edit...this is wrong-> _It 's specific to Cisco ASA firewalls with a version
level < 9.1(7), which was released in January of 2015._

Edit: Gelob, below, is right. There's a really unfortunate "read more" link
that hides the important bits on Cisco's documentation and caused my
confusion.

~~~
EwanG
Given the tendency for large enterprises to not upgrade unless there is time
to do a full regression test, and then to prioritize creating new features
over system maintenance, I wouldn't assume that means that there aren't quite
a few of those still out there.

~~~
feld
People who have firewall needs and no skills hire people who know what Cisco
products are, get someone to implement an ASA for them, and then it sits for
years without any software updates. Maybe a rule update every now and then,
but definitely no software updates.

~~~
code777777
Perhaps most do but I see a different trend these days. "The network" is a lot
more important now since so many things are cloud-based.

Our networking group automated a deployment for the fix and contacted everyone
that has ever bought an ASA from our company and updated them. We have ~400
ASAs across the country still have < 50 to go. There are still a few
stragglers and the older ASAs need a bit more TLC.

Many of those clients have a maintenance agreement with us that includes these
sorts of things and changes. All of them were updated and tested within 24
hours.

We did the same thing for the Juniper exploits (albeit we only had a handful).

EDIT: typos

~~~
kjs3
I can think of at least 8 of my clients (between 500 and 15000 employees, with
probably 100 ASAs total) still on ASA version _8_ , much less 9. For some, the
more critical in infrastructure, the less they want to update.

------
achillean
Here's an overview of devices that are running IKE on the Internet at the
moment:
[https://www.shodan.io/report/h2Naw1fd](https://www.shodan.io/report/h2Naw1fd)

------
xyzzy4
As someone who used to work at Cisco, I'm not surprised. Everything is coded
in C, and there are memory leaks all over the place because releases are made
before most of these bugs are fixed.

------
virtualwhys
> Note: Only traffic directed to the affected system can be used to exploit
> this vulnerability.

I'm confused, how else would the system be compromised, by directing traffic
at the moon?

Running an EOL ASA in colo on v8.2. Have been holding out due to the post-v8.2
changes to NAT. Looks like you need a SmartNET contract to get the fix,
unfortunate, many legacy devices will left vulnerable as a result.

Well, there goes the weekend...

~~~
chris_overseas
You don't need a SmartNET contract, but...

We own affected hardware and don't have a support contract. It took me about
four hours working my way through Cisco customer and tech support to get
updated. Now that the interim patch is applied (complete with bugs mentioned
elsewhere in this thread?), it doesn't sound like we'll easily be able to get
a bug-free update at a later date. So while we're hopefully safe, we might not
be stable.

Early on in the process (after 2-3 email iterations) their customer support
called me to say we weren't eligible for a fix because we didn't have a
support contract. I'd mentioned in my initial request that we had no contract
but also pointed out that the advisory said we didn't need one. I had also
provided a link to the advisory in my initial request, so that should not have
been an issue. I was then told my request was "very confusing".

Once I finally convinced them we were allowed the update and verified the
serial number of our hardware, I was thankfully forward on to tech support.
They then checked our firmware version and I was supplied with a patch
download URL quite quickly. The actual download was hampered in several ways
by their poor website (registration required, browser autocomplete and cut and
paste caused their JS validation to fail, and I couldn't get it to work with
any browser other than IE). Once I finally had the patch, it applied without
issue.

In short - the patch process was long, frustrating, complex, and as a small
business owner makes me never want to ever, ever deal with Cisco products
again.

~~~
virtualwhys
Just called Cisco TAC and am heading down the same road shortly ;-)

I'm going to renew SmartNET not for this particular vulnerability but for
simply getting over the NAT hump from to 8.2 to 8.3 (and whatever other
gotchas have come up between 8.2 and latest 9.x). Cisco TAC has been pretty
awesome in the past, definitely don't trust myself to navigate the upgrade
path in production.

------
SpyKiIIer
Rackspace pushed this update to all their clients last night, as they have
seen this attack against some of their infrastructure...

