Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday February 12 2018, @07:29PM   Printer-friendly
from the patch-day-is-every-day dept.

Submitted via IRC for Bytram

Hackers are actively trying to exploit a high-severity vulnerability in widely used Cisco networking software that can give complete control over protected networks and access to all traffic passing over them, the company has warned.

When Cisco officials disclosed the bug last week in a range of Adaptive Security Appliance products, they said they had no evidence anyone was actively exploiting it. Earlier this week, the officials updated their advisory to indicate that was no longer the case.

"The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability that is described in this advisory," the officials wrote. "Cisco PSIRT is aware of attempted malicious use of the vulnerability described in this advisory."

The update didn't say how widespread the attacks are, whether any of them are succeeding, or who is carrying them out. On Twitter on Thursday, Craig Williams, a Cisco researcher and director of outreach for Cisco's Talos security team, wrote of the vulnerability: "This is not a drill..Patch immediately. Exploitation, albeit lame DoS so far, has been observed in the field."

Source: https://arstechnica.com/information-technology/2018/02/that-mega-vulnerability-cisco-dropped-is-now-under-exploit/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Informative) by Hyperturtle on Tuesday February 13 2018, @12:10AM (2 children)

    by Hyperturtle (2824) on Tuesday February 13 2018, @12:10AM (#636893)

    If people didn't buy into that entire clientless VPN thing that used SSL for everything, problems like this would be much less frequent and the security industry could be in much better shape. Convenience is everything and unfortunately clientless SSL has its share of tradeoffs and vulnerabilities.

    I've personally endorsed IPSec clients over anything SSL related... SSL is far more vulnerable to examination and man-in-the-middle stuff than anything else. Obviously SSL has its merits; I just don't think it's a good solution for everyone to use for VPNs... I think it is good for only the devices that can't do anything better, but it's ended up as a promoted solution because its so easy to do--and https certs can be compromised way more easily than strong ipsec encryption...

    IPSec VPNs can be harder to set up and maintain, and Cisco knows it -- it is not so easy to set up something from scratch on their hardware if you have not done it before--even with the manual open in front of you. But their gui wizardry does a pretty good job--but it really makes it easy for people if they choose the SSL options for VPN connectivity.

    My general approach is that if I can do it in a browser and expect to have faith in certificates you might not control that might stop working due to administrative error or otherwise, it's probably going to crash or be more easily exploited, and this has proven to not be an exception. IPSec generally doesn't just stop working because a registrar changed or people forgot to renew the cert, nor is it as easy to open up for examination after redirection.

    You do not even need to use Cisco's IPSec VPN client; you can use some of the open source (or at least 3rd party) ones out there, and have almost as much flexibility for what you connect with provided you are willing to give up some of the convenience.

    It may not be so easy to get an IPSec VPN client on that executive's iPad, but there are methods to contain exposure and thus limit any damage without opening up your doors to the world like how HTTPS is running on an integrated service on your frickin edge device that protects everything. Some places do 'defense-in-depth' but generally it is easier to have something dedicated to the job that then passes through another set of barriers -- sort of how like a properly secured webserver won't let someone own your network if the admin credentials are hacked on it. They might get a server, not the whole dang network edge that probably has shared credentials in a small business. That thing should be tightly restricted. Own the Cisco ASA, and you can find out exactly what is permitted... firewalls probably shouldn't invite people to log into them, but I guess I am not an 'appliance' fan for a device that often is the only line of defense for a small company -- and one the small company doesnt understand or ever look at. Cisco is not to blame; they were filling a need -- many other vendors offer the same thing.

    However... Cisco is not being a good citizen when it comes to how they are making people get the updates. If you have used hardware, or the warranty has expired and everything just worked, you have to call them up on the phone or register an account and ask their TAC (the helpdesk people call into with config issues usually) to please oh please give you a link to the firmware.

    This is one of those times they should just put it up for downloading and damn the rest; like what Microsoft did for security. They are not doing anyone favors by pointing out how bad the problem is. and then erecting barriers to prevent people from updating the products.

    This patch is being aribitrarily restricted due to how they handle binary distribution. It isn't a licensing issue... it is a control issue. I think they should lighten up in situations like this, but at least they are giving it out when people ask.

    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 2) by insanumingenium on Tuesday February 13 2018, @12:40AM

    by insanumingenium (4824) on Tuesday February 13 2018, @12:40AM (#636907) Journal

    More curiously, we got first party and really useable IPsec (usually L2TP over IPsec, but I'll take what I can get) clients on just about every platform about 15 minutes before the SSL-VPN craze really took off. Thankfully, as far as I know those clients are still being shipped, but they must have a clock over their heads. While IPsec is a clear winner, you can fix a big portion of those man in the middle fears if you are smart about certificates, the issue is no-one takes well to "no don't use that godaddy cert, self-signed is safer" unless you sit down and explain carefully why the use cases are different.

  • (Score: 3, Interesting) by NotSanguine on Tuesday February 13 2018, @12:44AM

    by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Tuesday February 13 2018, @12:44AM (#636909) Homepage Journal

    I've personally endorsed IPSec clients over anything SSL related... SSL is far more vulnerable to examination and man-in-the-middle stuff than anything else. Obviously SSL has its merits; I just don't think it's a good solution for everyone to use for VPNs... I think it is good for only the devices that can't do anything better, but it's ended up as a promoted solution because its so easy to do--and https certs can be compromised way more easily than strong ipsec encryption...

    IPSec VPNs can be harder to set up and maintain, and Cisco knows it -- it is not so easy to set up something from scratch on their hardware if you have not done it before--even with the manual open in front of you. But their gui wizardry does a pretty good job--but it really makes it easy for people if they choose the SSL options for VPN connectivity.

    I agree. IPsec over IPv4 (or even better, IPv6) is not only (when properly configured) more secure, it's also much less resource intensive.

    As someone who's implemented and managed Cisco security gear (including their ASA products) at a variety of organizations big and small, the biggest issue is that most home firewalls (and in corporate environments, hotels and other public venues) block the required protocols/ports by default. SSL-based VPN (tcp/443) is allowed through pretty much everywhere.

    There have been a few products that used SSL-based VPN connections that were actually not too bad in terms of usability and feature sets. However, Cisco's AnyConnect and clientless VPNs offerings are really crappy. They're buggy, slow and difficult to manage.

    As the person implementing and managing this stuff, I always pressed for transport (on mobile devices) and tunnel (on devices at static locations) mode IPSec connectivity. That works pretty well and is much easier to manager.

    However, when a VP/partner/other exec is traveling and is at an airport, hotel or other insecure location and want to gain access to the corporate network, UDP/500 and protocols 50 and 51 are invariably blocked. In that scenario, one needs to have something SSL based already available to users, or an updated resume.

    SSL VPNs can be quite useful in a variety of use cases. Cisco just does theirs poorly.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr