February 13, 2016 at 21:25Critical Vulnerability in Cisco ASA
The Cisco ASA operating system detected critical vulnerability CVE-2016-1287 in the implementation of the Internet Key Exchange (IKE) protocol version 1 and 2, which allows executing arbitrary code or remotely rebooting the device with a specially formed UDP packet. She has been assigned the highest level of danger.
Technical overview and operational examples:
blog.exodusintel.com/2016/02/10/firewall-hacking The
following devices are susceptible to vulnerabilities:
Corrected OS versions are already available:
On hardware with 256 MB of RAM, you can install version 8.2.5 (59) [ MEGA ].
For most versions, the fix is only available as an Interim version that is not visible when upgrading through ASDM. Download them manually from the download portal .
And do not confuse the firmware file: for single-core 5500 it is just asaXXX-k8.bin, for multi-core 5500-X it will be like asaXXX-X- smp -k8.bin, and for FirePOWER it has another extension asaXXX-X- lfbff -k8. SPA .
In version 9.1.7, they already found a bug related to SNMP, which can cause a cyclic reboot of some devices and now it is recommended to install 9.1 (6.11) to close the vulnerability. He and other problems are discussed in/ networking .
As a workaround, TAC offers filtering packets for ports 500 and 4500:
The keen eye of Sourg has noticed a paragraph for those whose contract has expired or is lost. Write to the TAC with a link to the newsletter and the serial number of the piece of iron:
www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Inspired by the disinterestedness of Cisco, anonymus wanted to put the latest versions in free access, but noticed something strange in the user’s request and recalled the dependencies during the update without which you could lose the device, config, healthy sleep and hope for the future. And starting with version 8.3, the requirements for RAM have increased.
If you are confident in your abilities and are not afraid of adventures: read the releases , backup and look for firmware on Rutreker, Rubord, Antitsisko and MegaSearch.
Technical overview and operational examples:
blog.exodusintel.com/2016/02/10/firewall-hacking The
following devices are susceptible to vulnerabilities:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 9300 ASA Security Module
- Cisco ISA 3000 Industrial Security Appliance
Corrected OS versions are already available:
| Basic version | Correction |
|---|---|
| 7.2 | 9.1 (6.11) |
| 8.2 | 8.2 (5.59) |
| 8.3 | 9.1 (6.11) |
| 8.4 | 8.4 (7.30) |
| 8.5 | not affected |
| 8.6 | 9.1 (6.11) |
| 8.7 | 8.7 (1.18) |
| 9.0 | 9.0 (4.38) |
| 9.1 | 9.1 (6.11) |
| 9.2 | 9.2 (4.5) |
| 9.3 | 9.3 (3.7) |
| 9.4 | 9.4 (2.4) |
| 9.5 | 9.5 (2.2) |
On hardware with 256 MB of RAM, you can install version 8.2.5 (59) [ MEGA ].
For most versions, the fix is only available as an Interim version that is not visible when upgrading through ASDM. Download them manually from the download portal .
And do not confuse the firmware file: for single-core 5500 it is just asaXXX-k8.bin, for multi-core 5500-X it will be like asaXXX-X- smp -k8.bin, and for FirePOWER it has another extension asaXXX-X- lfbff -k8. SPA .
In version 9.1.7, they already found a bug related to SNMP, which can cause a cyclic reboot of some devices and now it is recommended to install 9.1 (6.11) to close the vulnerability. He and other problems are discussed in/ networking .
Workaround
As a workaround, TAC offers filtering packets for ports 500 and 4500:
Here is an example of control plane ACL allowing access from 1.1.1.1 and denying everything else:access-list test permit udp host 1.1.1.1 any eq 500
access-list test permit udp host 1.1.1.1 any eq 4500
access-list test deny udp any any eq 500
access-list test deny udp any any eq 4500
access-list test permit ip any any
access-group test in interface outside control-plane
PS
The keen eye of Sourg has noticed a paragraph for those whose contract has expired or is lost. Write to the TAC with a link to the newsletter and the serial number of the piece of iron:
www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
PPS
Inspired by the disinterestedness of Cisco, anonymus wanted to put the latest versions in free access, but noticed something strange in the user’s request and recalled the dependencies during the update without which you could lose the device, config, healthy sleep and hope for the future. And starting with version 8.3, the requirements for RAM have increased.
If you are confident in your abilities and are not afraid of adventures: read the releases , backup and look for firmware on Rutreker, Rubord, Antitsisko and MegaSearch.