Tag Archives: Cisco ASA

Cisco Networking Devices Affected By Disclosed Exploits

Earlier this month Cisco made available 2 security advisories (please see below for the relevant links) that relate to the public disclosure of security vulnerabilities within their and other vendors’ products by a hacking group known as Shadow Brokers.

This group released exploits that targeted routers and firewalls from vendors such as Cisco, Juniper and Fortinet.

Further coverage of how these exploits were disclosed are available within the following links:

Cisco Acknowledges ASA Zero Day Exposed By Shadowbrokers (Threatpost)

Shadowbrokers’ Leak Has ‘Strong Connection’ To Equation Group (Threatpost)

Hacking group claims to offer cyber-weapons in online auction (Reuters)

NSA’s Hacking Group Hacked! Bunch of Private Hacking Tools Leaked Online (The Hacker News)

Cisco confirms NSA-linked zeroday targeted its firewalls for years (Ars Technica)

Juniper Acknowledges Equation Group Targeted ScreenOS

Why Should These Issues Be Considered Important?

For the affected Cisco devices (a full list is provided here), the most severe of which could allow remote code execution (where an attacker can remotely target your device and have it carry out any action of their choice). The SNMP (defined) vulnerability is the result of a buffer overflow (defined) which can be exploited by an attacker by sending specifically crafted SNMP packets (piece/unit of data being sent via electronic means e.g. within a cable or in the air e.g. WiFi) to an affected device.

Affected Fortinet devices suffer from a similar overflow within their cookie (defined) parser (a tool that analyzes data in a structured manner in order to create meaning from it). As before successful exploitation results in an attacker obtaining remote access to affected devices.

At a later date Juniper acknowledged that their products were also targeted by the group due to the information found within the files that were disclosed. They have since determined that while the code does target their ScreenOS it cannot be used for a remote attack.

How Can I Protect Myself From These Issues?
=======================
Cisco
The relevant Cisco security advisories are available from the following links (further fixes are also expected):

Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability (patch available)

Cisco Adaptive Security Appliance CLI Remote Code Execution Vulnerability (patch available)

Cisco provides further security recommendations within their dedicated blog post of these vulnerability disclosures that is being updated as new patches are being made available.

=======================
Fortinet
A security advisory for the affected Fortinet devices with suggested upgrades detailed within.
=======================
Juniper
As mentioned above Juniper devices are affected but are not remotely exploitable. They continuing to work on a possible means to tell if malicious code has been installed on devices created by them. More information is available within their dedicated forum post.
=======================

I hope that the above information is useful to you in defending your corporate networks against these disclosed vulnerabilities.

Thank you.

Cisco Releases Large Group of Security Advisories

On Wednesday of last week Cisco issued five security advisories addressing 1x critical vulnerability and 4x high severity vulnerabilities.

Why Should This Issue Be Considered Important?
The most severe of these issues (due to the ease of exploitation) could allow an unauthenticated remote attacker (namely a user with no prior access to your corporate network) to carry out a denial of service issue (defined) of the Cisco Wireless LAN Controller (WLC) Software as a result of a buffer overflow (defined).

All (but one) of the other issues can also be exploited by sending specifically crafted packets (defined below) to the software/system resulting in a denial of service issue. The remaining high severity issue involves an attacker accessing normally inaccessible URLs from within the management interface of the Cisco Wireless LAN Controller (WLC) again resulting in a potential denial of service issue.

Workarounds are available for 2 of the above security issues, detailed here and here.

The affected products are as follows:
=======================
Critical issue:
Cisco WLC Software of the following versions:

  • All 7.2 releases
  • All 7.3 releases
  • All 7.4 releases prior to 7.4.140.0(MD)
  • All 7.5 releases
  • All 7.6 releases
  • All 8.0 releases prior to 8.0.115.0(ED)

=======================
High severity issues:
=======================
Issue 1:
Cisco ASA Software running on the following products:

  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco Adaptive Security Virtual Appliance (ASAv)

Steps to check if your Cisco ASA Software in its current configuration is vulnerable are provided within this advisory.
=======================
Issue 2:
Cisco WLC Software of the following versions:

  • All 7.4 releases prior to 7.4.130.0(MD)
  • All 7.5 releases
  • All 7.6 releases
  • All 8.0 releases prior to 8.0.110.0(ED)

=======================
Issue 3:
For the full list please refer to the relevant security advisory.

=======================
Issue 4:
Cisco WLC devices running the following releases of Cisco AireOS Software are vulnerable:

  • Releases 4.1 through 7.4.120.0
  • All 7.5 releases
  • Release 7.6.100.0

=======================

How Can I Protect Myself From These Issues?
If your organization uses any of the above mentioned software products, please follow the directions within the 5 Cisco security advisories mentioned below to install the necessary security updates:

Critical Severity:
Cisco Wireless LAN Controller HTTP Parsing Denial of Service Vulnerability

High Severity:
Cisco Adaptive Security Appliance Software DHCPv6 Relay Denial of Service Vulnerability

Cisco Wireless LAN Controller Denial of Service Vulnerability

Multiple Cisco Products libSRTP Denial of Service Vulnerability

Cisco Wireless LAN Controller Management Interface Denial of Service Vulnerability

Thank you.

=======================
Aside:
What is a packet (in the context of computer networking)?
This is the name given to the most fundamental components of a MAC (Media Access Control)(defined) frame. With the outer enclosing MAC frame removed from the data units sent over a network connection, what you are left with is called a packet.
=======================

Cisco Issues ASA FirePOWER Appliance Security Updates

In late March; Cisco published a security advisory for the software that powers/operates their Adaptive Security Appliance (ASA) with FirePOWER appliances to address a high severity security issue (assigned 1 CVE (defined)).

Why Should This Issue Be Considered Important?
If you make use of Cisco ASA with FirePower appliances, the software that powers them could be bypassed by an unauthenticated remote attacker (an individual with no prior access to your corporate network) enabling them to bypass the malware detection defences of these appliances (namely the very function/service they are designed to provide can be bypassed).

If such a bypass were used in conjunction with the large numbers of ransomware malware currently being distributed, the result could be disastrous for your company/reputation (however this is likely a worst case scenario).

Moreover, there are no workarounds for this issue. Fortunately, at this time the Cisco Product Security Incident Response Team (PSIRT) is not aware of this issue being publically exploited. This issue was responsibly disclosed (defined) to Cisco by Dikla Barda, Liad Mizrachi, and Oded Vanunu from the Check Point Security Team.

The above mentioned security issue affects the following Cisco security products:

  • Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services
  • Advanced Malware Protection (AMP) for Networks, 7000 Series Appliances
  • Advanced Malware Protection (AMP) for Networks, 8000 Series Appliances
  • FirePOWER 7000 Series Appliances
  • FirePOWER 8000 Series Appliances
  • FirePOWER Threat Defense for Integrated Services Routers (ISRs)
  • Next Generation Intrusion Prevention System (NGIPS) for Blue Coat X-Series
  • Sourcefire 3D System Appliances
  • Virtual Next-Generation Intrusion Prevention System (NGIPSv) for VMware

These products would use versions of Cisco’s Firepower System Software prior to the following fixed/updated versions:

  • 5.4.0.7 and later
  • 5.4.1.6 and later
  • 6.0.1 and later

How Can I Protect Myself from This Issue?
If your organization/business uses any of the above mentioned Cisco security products, please follow the directions within the Cisco security advisory mentioned below to install the necessary security updates:

Cisco Firepower Malware Block Bypass Vulnerability

Thank you.

Cisco Releases Adaptive Security Appliance (ASA) Security Updates

In late October Cisco released a series of 4 security advisories to resolve 4 high severity CVEs (defined) that could result in a denial of service (DoS)(defined) condition for the affected Cisco networking Adaptive Security Appliance (ASA) software.

Why Should These Issues Be Considered Important?
If you make use of Cisco ASA software an unauthenticated remote attacker (namely an attacker that does not have any prior access to your Cisco software) could potentially prevent that software from performing it’s job by causing that software to reload (stop functioning and then restart).

Reloading could be called a denial of service (DoS) condition since while your software is reloading it’s not doing what it was intended to do within your organization. The attacker would only need to send the software a specifically crafted DHCPv6 (see Aside below for a definition) or UDP (defined) packets (when exploiting the VPN ISAKMP issue which involves IKE (Internet Key Exchange (IKE)) v1; see Aside 3 below for a definition) to exploit these issues.

In the case of the first 2 advisories concerning how the ASA software processes DNS requests (see this post for a non-technical explanation and see Aside 2 below for a more formal definition of DNS) the attacker would only need to send the ASA software specifically crafted packets that will cause the software to generate a DNS request packet.

The above means of attack makes it reasonable easy for an attacker to take advantage of these issues to interrupt the normal operation of your ASA software. Finally, there are no workarounds available for these issues (apart from disabling the affected components, which is not really an option if you make use of them).

How Can I Protect Myself From These Issues?
At this time the Cisco Product Security Incident Response Team (PSIRT) is not aware of any of these issues being exploited by attackers since these issues were discovered during internal security testing.

If your organization uses any of the above mentioned Cisco ASA software please follow the directions within the four Cisco security advisories mentioned below to install the necessary security updates:

Cisco ASA Software DNS Denial of Service Vulnerability Advisory 1
Cisco ASA Software DNS Denial of Service Vulnerability Advisory 2
Cisco ASA Software DHCPv6 Relay Denial of Service Vulnerability
Cisco ASA Software VPN ISAKMP Denial of Service Vulnerability

Thank you.

=======================
Aside:
What is DHCP?

Dynamic Host Configuration Protocol (DHCP) is a protocol that automatically assigns an IP address (defined) to a computing device to enable it to communicate with other devices on that network.

The IP addresses provided can be static (fixed) or dynamic (temporary; these addresses exist for a time known as the leasing time, when the lease expires the device can choose to renew the lease for another lease period e.g. 12 hours). The IP address assigned by DHCP comes from a pool (collection) of free address available for use on that network. The process of being automatically assigned an IP address is similar to being given a phone number so that you can call other phone numbers to speak to other people.

DHCP can also provide other information such as the IP address of the DNS server to a device enabling it to access websites on the internet when a person types a website address into their web browser address bar (DNS is explained in more detail below).

Finally DHCP provides the newly established device on that network with the IP address of the default gateway of that network enabling the device to communicate with other networks (e.g. the wider internet). The default gateway acts as a bridging point from one network to another (usually networks using different protocols e.g. ATM (defined) or Frame Relay (defined)). For example, in your home your wireless router acts as both your default gateway and your DNS server (unless you decide to use custom DNS settings). This router connects your devices (which are part of your Local Network (LAN) to the internet (a Wide Area Network, WAN)).

Please note that DHCPv6 is the IPv6 (defined) equivalent of DHCP (which is used with current generation IPv4 networks).
=======================

=======================
Aside 2:
What is DNS?

DNS (Domain Name Service) works very much like looking a phone number up in a phone book. By doing so it translates website names e.g. www.google.com into an IP address (defined) allowing for example your web browser to connect to Google’s server to display Google’s homepage. However this communication between computers could also be used for any other desired purpose.

DNS can also be used with email services to locate a mail server for you to send a message from your computer to that domain e.g. to bob@example.com An MX (mail exchange record) maps that domain name (example.com) to a list of mail transfer agents (MTA) for that domain. MTAs transfer a message using SMTP (defined) from MTA to MTA until it reaches the MTA for the messages destination.

DNS usually uses UDP (defined) port 53 to communicate with other DNS servers to find the IP address for the website name that you entered. DNS servers also communicate/synchronize with one another to stay up to date with the appropriate domain name to IP address translations using a process known as DNS zone (defined) transfers.
=======================

=======================
Aside 2:
What is Internet Key Exchange (IKE)?

Internet Key Exchange is part of a wider security feature known as IPSec.

IPSec (Internet Protocol Security) is a set of protocols that provide a means of setting up a secure channel of communication between 2 computing devices. Many VPNs (Virtual Private Networks)(defined) used by employees to access data and computers (usually servers) when outside of the office use IPSec to secure the connection between the employee’s device and their corporate office.

IPSec is a framework (recommended means of accomplishing something) and thus it does not stipulate specific hashing algorithms (e.g. SHA-1) or encryption algorithms e.g. RSA or ECC to use when creating a secure channel between 2 devices. Moreover, how the 2 devices exchange public keys are not specified.

A commonly used key exchange mechanism used when IPSec is securing a channel is Internet Key Exchange (IKE)(defined within RFC 2828). This standard is made up of ISAKMP (Internet Security Association and Key Management Protocol (ISAKMP)) and OAKLEY protocols. ISAKMP provides the necessary means of exchanging the encryption keys while OAKLEY actually carries out the exchange.

The establishment of the secure channel happens in two phases described in detail within this Cisco article. The Diffie-Hellman algorithm is used to agree on the public encryption for use within this secure channel within phase 1.

IKE is used with IPSec to provide the following benefits:

  • Removes the need to manually set the IPSec security parameters while establishing the connection between two devices.
  • Protects against replay attacks (summarized details of such are provided in this thread (this is a long thread, I would advise searching for the keyword “session” within that page)).
  • Provides the ability to set a limited lifetime for the IPSec communication channel which takes advantage of the capability for encryption keys to change during an individual IPSec session (essentially providing the capabilities and extra security of a temporary session key.

=======================