Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday February 12 2018, @07:29PM   Printer-friendly
from the patch-day-is-every-day dept.

Submitted via IRC for Bytram

Hackers are actively trying to exploit a high-severity vulnerability in widely used Cisco networking software that can give complete control over protected networks and access to all traffic passing over them, the company has warned.

When Cisco officials disclosed the bug last week in a range of Adaptive Security Appliance products, they said they had no evidence anyone was actively exploiting it. Earlier this week, the officials updated their advisory to indicate that was no longer the case.

"The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability that is described in this advisory," the officials wrote. "Cisco PSIRT is aware of attempted malicious use of the vulnerability described in this advisory."

The update didn't say how widespread the attacks are, whether any of them are succeeding, or who is carrying them out. On Twitter on Thursday, Craig Williams, a Cisco researcher and director of outreach for Cisco's Talos security team, wrote of the vulnerability: "This is not a drill..Patch immediately. Exploitation, albeit lame DoS so far, has been observed in the field."

Source: https://arstechnica.com/information-technology/2018/02/that-mega-vulnerability-cisco-dropped-is-now-under-exploit/


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Insightful) by Runaway1956 on Monday February 12 2018, @09:10PM (6 children)

    by Runaway1956 (2926) Subscriber Badge on Monday February 12 2018, @09:10PM (#636829) Journal

    And, that's probably only busines/corporate owned stuff. Few home users are going to even notice this exploit. Maybe, just maybe, they'll become aware of it after their network has been hacked. Far more likely that only a couple percent of Cisco products are going to be patched.

    --
    #eatyourliver #WalkAway #CTRLLeft
    • (Score: 4, Informative) by frojack on Monday February 12 2018, @09:31PM (1 child)

      by frojack (1554) Subscriber Badge on Monday February 12 2018, @09:31PM (#636839) Journal

      Ah, but it is VPN stuff, the savior and first recommended solution to every mention of spying or hacking.

      And its probably something those VPN termination sites use.

      3000 Series Industrial Security Appliance (ISA)
      ASA 5500 Series Adaptive Security Appliances
      ASA 5500-X Series Next-Generation Firewalls
      ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
      ASA 1000V Cloud Firewall
      Adaptive Security Virtual Appliance (ASAv)
      Firepower 2100 Series Security Appliance
      Firepower 4110 Security Appliance
      Firepower 9300 ASA Security Module
      Firepower Threat Defense Software (FTD)

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 4, Funny) by FatPhil on Monday February 12 2018, @09:32PM

        by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Monday February 12 2018, @09:32PM (#636840) Homepage
        I love how the word "security" is in the name of almost all of their security failures.
        --
        Life is a precious commodity. A wise investor would get rid of it when it has the highest value.
    • (Score: 0) by Anonymous Coward on Tuesday February 13 2018, @12:00AM (2 children)

      by Anonymous Coward on Tuesday February 13 2018, @12:00AM (#636887)

      Do home consumers use Cisco stuff? I always thought they were pretty much marketed to business only.

      • (Score: 3, Interesting) by insanumingenium on Tuesday February 13 2018, @12:43AM

        by insanumingenium (4824) Subscriber Badge on Tuesday February 13 2018, @12:43AM (#636908)

        None of this stuff is anywhere near consumer class, all of the devices on this list that physically could have a serial port do. Cisco does make consumer products, but consumer products aren't likely to make too big of waves when they have exploits.

      • (Score: 2) by FatPhil on Tuesday February 13 2018, @05:50AM

        by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Tuesday February 13 2018, @05:50AM (#637008) Homepage
        One of our home ISPs forces us to use a CISCO router.

        Apropos of nothing - it's shite.
        --
        Life is a precious commodity. A wise investor would get rid of it when it has the highest value.
    • (Score: 2) by insanumingenium on Tuesday February 13 2018, @12:48AM

      by insanumingenium (4824) Subscriber Badge on Tuesday February 13 2018, @12:48AM (#636911)

      Anyone who can run an ASA at home, knows better. You don't get one running on accident, even with "wizards".

  • (Score: 2) by NotSanguine on Monday February 12 2018, @11:44PM (3 children)

    by NotSanguine (285) Subscriber Badge on Monday February 12 2018, @11:44PM (#636879) Homepage Journal

    The security advisory [cisco.com] from Cisco states that:

    The vulnerability is due to an issue with allocating and freeing memory when processing a malicious XML payload. An attacker could exploit this vulnerability by sending a crafted XML packet to a vulnerable interface on an affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, cause a reload of the affected device or stop processing of incoming VPN authentication requests.

    To be vulnerable the ASA must have Secure Socket Layer (SSL) services or IKEv2 Remote Access VPN services enabled on an interface. The risk of the vulnerability being exploited also depends on the accessibility of the interface to the attacker. For a comprehensive list of vulnerable ASA features please refer to the table in the Vulnerable Products section.

    Along with details as to how to identify if a particular configuration is vulnerable.

    CVE 2018-0101 [mitre.org] has links to exploits and other information.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    • (Score: 4, Informative) by Hyperturtle on Tuesday February 13 2018, @12:10AM (2 children)

      by Hyperturtle (2824) Subscriber Badge on Tuesday February 13 2018, @12:10AM (#636893)

      If people didn't buy into that entire clientless VPN thing that used SSL for everything, problems like this would be much less frequent and the security industry could be in much better shape. Convenience is everything and unfortunately clientless SSL has its share of tradeoffs and vulnerabilities.

      I've personally endorsed IPSec clients over anything SSL related... SSL is far more vulnerable to examination and man-in-the-middle stuff than anything else. Obviously SSL has its merits; I just don't think it's a good solution for everyone to use for VPNs... I think it is good for only the devices that can't do anything better, but it's ended up as a promoted solution because its so easy to do--and https certs can be compromised way more easily than strong ipsec encryption...

      IPSec VPNs can be harder to set up and maintain, and Cisco knows it -- it is not so easy to set up something from scratch on their hardware if you have not done it before--even with the manual open in front of you. But their gui wizardry does a pretty good job--but it really makes it easy for people if they choose the SSL options for VPN connectivity.

      My general approach is that if I can do it in a browser and expect to have faith in certificates you might not control that might stop working due to administrative error or otherwise, it's probably going to crash or be more easily exploited, and this has proven to not be an exception. IPSec generally doesn't just stop working because a registrar changed or people forgot to renew the cert, nor is it as easy to open up for examination after redirection.

      You do not even need to use Cisco's IPSec VPN client; you can use some of the open source (or at least 3rd party) ones out there, and have almost as much flexibility for what you connect with provided you are willing to give up some of the convenience.

      It may not be so easy to get an IPSec VPN client on that executive's iPad, but there are methods to contain exposure and thus limit any damage without opening up your doors to the world like how HTTPS is running on an integrated service on your frickin edge device that protects everything. Some places do 'defense-in-depth' but generally it is easier to have something dedicated to the job that then passes through another set of barriers -- sort of how like a properly secured webserver won't let someone own your network if the admin credentials are hacked on it. They might get a server, not the whole dang network edge that probably has shared credentials in a small business. That thing should be tightly restricted. Own the Cisco ASA, and you can find out exactly what is permitted... firewalls probably shouldn't invite people to log into them, but I guess I am not an 'appliance' fan for a device that often is the only line of defense for a small company -- and one the small company doesnt understand or ever look at. Cisco is not to blame; they were filling a need -- many other vendors offer the same thing.

      However... Cisco is not being a good citizen when it comes to how they are making people get the updates. If you have used hardware, or the warranty has expired and everything just worked, you have to call them up on the phone or register an account and ask their TAC (the helpdesk people call into with config issues usually) to please oh please give you a link to the firmware.

      This is one of those times they should just put it up for downloading and damn the rest; like what Microsoft did for security. They are not doing anyone favors by pointing out how bad the problem is. and then erecting barriers to prevent people from updating the products.

      This patch is being aribitrarily restricted due to how they handle binary distribution. It isn't a licensing issue... it is a control issue. I think they should lighten up in situations like this, but at least they are giving it out when people ask.

      • (Score: 2) by insanumingenium on Tuesday February 13 2018, @12:40AM

        by insanumingenium (4824) Subscriber Badge on Tuesday February 13 2018, @12:40AM (#636907)

        More curiously, we got first party and really useable IPsec (usually L2TP over IPsec, but I'll take what I can get) clients on just about every platform about 15 minutes before the SSL-VPN craze really took off. Thankfully, as far as I know those clients are still being shipped, but they must have a clock over their heads. While IPsec is a clear winner, you can fix a big portion of those man in the middle fears if you are smart about certificates, the issue is no-one takes well to "no don't use that godaddy cert, self-signed is safer" unless you sit down and explain carefully why the use cases are different.

      • (Score: 3, Interesting) by NotSanguine on Tuesday February 13 2018, @12:44AM

        by NotSanguine (285) Subscriber Badge on Tuesday February 13 2018, @12:44AM (#636909) Homepage Journal

        I've personally endorsed IPSec clients over anything SSL related... SSL is far more vulnerable to examination and man-in-the-middle stuff than anything else. Obviously SSL has its merits; I just don't think it's a good solution for everyone to use for VPNs... I think it is good for only the devices that can't do anything better, but it's ended up as a promoted solution because its so easy to do--and https certs can be compromised way more easily than strong ipsec encryption...

        IPSec VPNs can be harder to set up and maintain, and Cisco knows it -- it is not so easy to set up something from scratch on their hardware if you have not done it before--even with the manual open in front of you. But their gui wizardry does a pretty good job--but it really makes it easy for people if they choose the SSL options for VPN connectivity.

        I agree. IPsec over IPv4 (or even better, IPv6) is not only (when properly configured) more secure, it's also much less resource intensive.

        As someone who's implemented and managed Cisco security gear (including their ASA products) at a variety of organizations big and small, the biggest issue is that most home firewalls (and in corporate environments, hotels and other public venues) block the required protocols/ports by default. SSL-based VPN (tcp/443) is allowed through pretty much everywhere.

        There have been a few products that used SSL-based VPN connections that were actually not too bad in terms of usability and feature sets. However, Cisco's AnyConnect and clientless VPNs offerings are really crappy. They're buggy, slow and difficult to manage.

        As the person implementing and managing this stuff, I always pressed for transport (on mobile devices) and tunnel (on devices at static locations) mode IPSec connectivity. That works pretty well and is much easier to manager.

        However, when a VP/partner/other exec is traveling and is at an airport, hotel or other insecure location and want to gain access to the corporate network, UDP/500 and protocols 50 and 51 are invariably blocked. In that scenario, one needs to have something SSL based already available to users, or an updated resume.

        SSL VPNs can be quite useful in a variety of use cases. Cisco just does theirs poorly.

        --
        No, no, you're not thinking; you're just being logical. --Niels Bohr
(1)