Critical Vulnerability in Cisco ASA
In the Cisco ASA operating system, CVE-2016-1287 is critical in its implementation of Internet Key Exchange (IKE) version 1 and 2, which allows to execute arbitrary code or remotely reboot the device with a specially-formed UDP packet. She is assigned the highest level of danger.
Technical overview and examples of operation:
blog.exodusintel.com/2016/02/10/firewall-hacking
The following devices are susceptible to susceptibility:
The corrected OS versions are already available:
On glands with 256 MB of RAM, you can install version 8.2.5 (59) [ MEGA ].
For most versions, the fix is only available in the form of Interim versions that are not visible when updating via ASDM. Download them manually from the download portal .
And do not confuse the firmware file: for single-core 5500, this is just asaXXX-k8.bin, for multi-core 5500-X it will be asaXXX-X- smp -k8.bin, and for FirePOWER it has another extension asaXXX-X- lfbff -k8. SPA .
')
In version 9.1.7, they have already found a bug related to SNMP, which can cause a cyclic reboot of some devices and are now recommended to install 9.1 (6.11) to close the vulnerability. His and other issues are discussed in / networking .
As a workaround, TAC suggests filtering packets for ports 500 and 4500:
Sourg's keen eye noticed a paragraph for those whose contract expired or lost. Write to TAC with reference to the bulletin and the serial number of the piece of iron:
www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Inspired by Cisco's unselfishness, the anonymus wanted to put the latest versions in free access, but he noticed a strange request from the user and remembered the dependencies when upgrading without complying with which you can lose the device, the config, healthy sleep and hope for the future. And even since version 8.3, the requirements for RAM have increased.
If you are confident in your abilities and are not afraid of adventures: read the peace of mind , make backup and look for firmware on Rutreker, Rubord, Antitsisco and MegaSearch.
Technical overview and examples of operation:
blog.exodusintel.com/2016/02/10/firewall-hacking
The following devices are susceptible to susceptibility:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 9300 ASA Security Module
- Cisco ISA 3000 Industrial Security Appliance
The corrected OS versions are already available:
| Basic version | Correction |
|---|---|
| 7.2 | 9.1 (6.11) |
| 8.2 | 8.2 (5.59) |
| 8.3 | 9.1 (6.11) |
| 8.4 | 8.4 (7.30) |
| 8.5 | not subject to |
| 8.6 | 9.1 (6.11) |
| 8.7 | 8.7 (1.18) |
| 9.0 | 9.0 (4.38) |
| 9.1 | 9.1 (6.11) |
| 9.2 | 9.2 (4.5) |
| 9.3 | 9.3 (3.7) |
| 9.4 | 9.4 (2.4) |
| 9.5 | 9.5 (2.2) |
On glands with 256 MB of RAM, you can install version 8.2.5 (59) [ MEGA ].
For most versions, the fix is only available in the form of Interim versions that are not visible when updating via ASDM. Download them manually from the download portal .
And do not confuse the firmware file: for single-core 5500, this is just asaXXX-k8.bin, for multi-core 5500-X it will be asaXXX-X- smp -k8.bin, and for FirePOWER it has another extension asaXXX-X- lfbff -k8. SPA .
')
In version 9.1.7, they have already found a bug related to SNMP, which can cause a cyclic reboot of some devices and are now recommended to install 9.1 (6.11) to close the vulnerability. His and other issues are discussed in / networking .
Workaround
As a workaround, TAC suggests filtering packets for ports 500 and 4500:
Here is an example of the ACL allowed access from 1.1.1.1 and denying everything else:access-list test permit udp host 1.1.1.1 any eq 500
access-list test permit udp host 1.1.1.1 any eq 4500
access-list test deny udp any any eq 500
access-list test deny udp any any eq 4500
access-list test permit ip any any
access-group test in interface outside control-plane
PS
Sourg's keen eye noticed a paragraph for those whose contract expired or lost. Write to TAC with reference to the bulletin and the serial number of the piece of iron:
www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Pps
Inspired by Cisco's unselfishness, the anonymus wanted to put the latest versions in free access, but he noticed a strange request from the user and remembered the dependencies when upgrading without complying with which you can lose the device, the config, healthy sleep and hope for the future. And even since version 8.3, the requirements for RAM have increased.
If you are confident in your abilities and are not afraid of adventures: read the peace of mind , make backup and look for firmware on Rutreker, Rubord, Antitsisco and MegaSearch.
Source: https://habr.com/ru/post/277173/
All Articles