Cisco Security Advisory: TCP State Manipulation Denial of Service Vulnerabilities in Multiple Cisco Products

Similar Messages

• Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service

  Hello,
  Question regarding the work around for the recent Cisco Security Advisory (cisco-sa-20070124). The link to this advisory is here:http://www.cisco.com/en/US/customer/products/products_security_advisory09186a00807cb0e4.shtml#vuln
  The work around says to create an access-list for example:
  access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
  So trusted_hosts, is that the hosts on my network?
  Infrastructure_addresses, is this my routers
  I'm not sure what they are saying here. If anyone could shed some light, that would be great
  Thanks
  Mike

  Pretty close. Trusted hosts SHOULD be hosts that are A.,trusted and B., require access to those devices. So as an example "TRUSTES_HOSTS" could be management stations, admin desktops, or whatever is required to have access and you is "trusted". Ideally infrastructure address space should only be reachable from trusted users that need access and no one else. Infrastructure space would likely include addresses for routers, firewalls, switches , authentication servers, monitoring servers, basically anything that makes the network run and keeps it alive. Hope this helps.

• Cisco ASA 5505 Reset-I Problem with TCP State Bypass

  Hello,
  I have a Cisco ASA 5505 that functions as my primary firewall and a Mitel 5000 controller behind it. I have two external phone users that have been connecting through the firewall with no issues for six months until about two weeks ago. I am now seeing the following log entry on the phone trying to connect to the Mitel Controller.
  6
  May 16 2014
  14:52:52
  302014
  72.135.115.37
  6915
  192.168.20.2
  6801
  Teardown TCP connection 1203584 for outside:72.135.115.37/6915 to inside:192.168.20.2/6801 duration 0:00:00 bytes 0 TCP Reset-I
  My phones are designed to work with the Mitel 5000 and Mitel 3300 phone controllers. The 5000 will only use port 6800 for call control, while the 3300 will use 6801 (Secured Minet), 6802 (Minet SSH), and if those fail, port 6800 (Minet Unsecured). When the phones initiate a connection, they try 6801 first. If 6801 is unavailable, the phone controller adds the RST flag to the ACK packet. When the phone sees the RST flag, it is supposed to reset and use the next port (6802). The same process happens again for port 6802, then the phone knows to try 6800. The problem is that the ASA sees the RST flag now and terminates the connection at the firewall. Therefore, the phones never see the RST flag, and continue to try the connection with port 6801.
  I have tried to use the TCP State Bypass feature to correct the situation, but the log shows that the connection is still being terminated immediately by the firewall. I am a novice when it comes to configuring the ASA. Any help would be greatly appreciated, as the company that I bought the phone system from is out of troubleshooting options. I do not think that I have made any changes to the firewall around this time. I have packet captures and logs from my ASA and I have wireshark data on the inside of my network. I need to figure out how to configure the ASA so that it ignores the RST flag and sends the packet back to the source.
  Any help would be greatly appreciated!

  Thanks Rizwan,
  Still no luck.  I can't even ping the otherside (office)..  I am not sure if i'm running the debug rightway.   Here are my results...
  homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side.  I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
  Success rate is 0
  homeasa(config)# debug crypto isakmp 7
  homeasa(config)# debug crypto ipsec 7
  homeasa(config)# sho crypto isakmp 7
                                     ^
  ERROR: % Invalid input detected at '^' marker.
  homeasa(config)# sho crypto isakmp
  There are no isakmp sas
  Global IKE Statistics
  Active Tunnels: 0
  Previous Tunnels: 0
  In Octets: 0
  In Packets: 0
  In Drop Packets: 0
  In Notifys: 0
  In P2 Exchanges: 0
  In P2 Exchange Invalids: 0
  In P2 Exchange Rejects: 0
  In P2 Sa Delete Requests: 0
  Out Octets: 0
  Out Packets: 0
  Out Drop Packets: 0
  Out Notifys: 0
  Out P2 Exchanges: 0
  Out P2 Exchange Invalids: 0
  Out P2 Exchange Rejects: 0
  Out P2 Sa Delete Requests: 0
  Initiator Tunnels: 0
  Initiator Fails: 0
  Responder Fails: 0
  System Capacity Fails: 0
  Auth Fails: 0
  Decrypt Fails: 0
  Hash Valid Fails: 0
  No Sa Fails: 0
  Global IPSec over TCP Statistics
  Embryonic connections: 0
  Active connections: 0
  Previous connections: 0
  Inbound packets: 0
  Inbound dropped packets: 0
  Outbound packets: 0
  Outbound dropped packets: 0
  RST packets: 0
  Recevied ACK heart-beat packets: 0
  Bad headers: 0
  Bad trailers: 0
  Timer failures: 0
  Checksum errors: 0
  Internal errors: 0
  hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
  There are no ipsec sas
  homeasa(config)#

• Cisco Security Advisory: Access Point Memory Exhaustion from ARP Attacks

  I recieved this Cisco Advisory e-mail today. I have 1200 access points that I upgraded yesterday to 12.3(7)JA2, in which this problem was corrected. In the advisory it states to upgrade to this software release and to make a configuration change on each radio interface. I made this change on Dot11Radio0 interface and it took. I have 2 more interfaces ( Dot11Radio0.2 and Dot11Radio0.75) in which I get an error when I try to make this configuration change. I don't quite understand these interfaces, so I would like to know if I really need to make this change on the other 2 interfaces or is making the change on the 1st one enough. Any information is certainly appreciated. Thanks, Laurie Coles

  Since you have subinterfaces configured, you are apparently using
  VLANs on your APs. The ARP table is only relevant for the VLAN
  with the management IF, that is the native VLAN.
  For all other VLANs it's simply bridging, therefore no ARP table,
  and therefore this vulnerability doesn't apply here.
  So your only concern should be the native VLAN, and unless you
  need wireless access for managing your APs the best way for
  securing this would be to not configure a SSID for this VLAN.
  Then the only access to the AP would be over the Ethernet-IF.
  The security advisory is more important for APs configured
  without VLANs where wireless clients and the management IF
  of the AP are in the same (W)LAN.

• Cisco Security Advisory: OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products

  Hello Experts,
  I need to rule out that we have affected openSSL version 1.0.1 running on our devices. I need to know what is the version of openSSL that is current on the following platforms:
  Cisco PIX
  Cisco FWSM
  Cisco ISR
  Cisco VPN Concentrator
  I know ASA runs 0.9.8f and I know that PIX and Concentrator are very old, and they might run an older version, however for a security assessment I need to rule those out too.
  Does anyone know what is the version for these platforms?
  Thanks in advance.

  The definitive source is and will continue to be the Cisco Security Advisory. It has already been updated several times today. Please keep checking back to it at the following URL:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
  That said, the Pix and VPN Concentrator development and code release ended prior to the release of openssl with the vulnerability so I would hazard an educated guess that you won't have any problems with respect to this particular vulnerability. THAT said, if you're concerned about security vulnerabilities why are you running products with associated code that has not had other documented bugs and vulnerabilities patched for at least several years?
  The ISR G2 will almost certainly depend on the IOS level and whether you are using any of the ssl-related features.

• ASA5500: TCP state bypass for traffic, coming from IPsec tunnel

  Hello!
  We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached)
  All branch offices are connected to central asa though IPsec.
  The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel
  According to the sheme:
  172.16.1.0/24 is on of the branch office LANs
  10.1.1.0/24 and 10.2.2.0/24 are central office LAN
  The crypto ACL looks like  permit ip 172.16.1.0/24 10.0.0.0/8
  The aim is to
  restrict access from 172.16.1.0/24 to 10.1.1.0/24
  When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok -  they are dropped by acl2
  When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path
  I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't help.
  The central asa 5500 is configured according to cisco doc http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
  access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
  class-map tcp_bypass_map
  description "TCP traffic that bypasses stateful firewall"
  match access-list tcp_bypass_acl
  policy-map tcp_bypass_policy
  class tcp_bypass_map
  set connection advanced-options tcp-state-bypass
  service-policy tcp_bypass_policy interface outside
  service-policy tcp_bypass_policy interface inside
  Does anyone know, how to make TCP State Bypass works properly?

  I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.
  You can still control access on center site by using vpn-filters.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
  Thanks
  Ajay

• Out-of-Band Microsoft Security Advisory

  Microsoft Security Advisory (2659883)
  Vulnerability in ASP.NET Could Allow Denial of Service https://technet.microsoft.com/en-us/security/advisory/2659883
  Editing to add additional link: https://blogs.technet.com/b/msrc/archive/2011/12/28/advanced-notification-for-out-of-band-release-to...
  ThinkPad: T530 / X1 Gen 2 / Helix - Yoga: Tablet 2 Pro (Win) / Yoga 3 Pro
  If you find a post helpful and it answers your question, please click the "Accept As Solution" button.
  Lenovo Advocate ~ I am not employed by Lenovo or Microsoft. I am a volunteer.
  Microsoft MVP - Consumer Security
  SpywareHammer

  Hi -
  Here is a link to the forum post I made regarding the OS security update policy for Cisco Unity - http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Unified%20Communications%20and%20Video&topic=Unified%20Communications%20Applications&topicID=.ee835d2&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc231ee/2#selected_message
  Regards, Ginger

• WRT55AG - Denial Of Service / security hole, and other issues

  Im using a V2 of the WRT55AG using 1.79 firmware.
  I suffered many perplexing issues when connected directly to my cable modem.
  1 It would lock up and no data transversed it
  2 Its web interface would no longer exist
  3 Some types of data would be blocked
  4 It would stop doing DHCP
  5 Ping times to it from the LAN side would increase in 1 minute intervals for hours or until power cycled
  6 Data rates would slow randomly.
  These problems would occur separately and in combinations. They would occur randomly but some issues would occur daily.
  Left alone the router would 100% lock up in a matter of days. This occurred 100% of the time.
  Rebooting was a daily and sometimes hourly ritual.
  After reading in many forums of the known issues with this router I purchased a BEFSR41 as replacement.
  ALL of my problem were gone. This of course isolated the issues I was having to the WRT55AG.
  I then hooked up the WRT55AG _after_ the BEFSR41.
  The problems with the WRT55AG disappeared. Completely. It suddenly worked for weeks perfectly.
  I then tried setting the BEFSR41's DMZ to the IP of the WRT55AG exposing the WRT55AG to the net directly.
  The issues returned.
  So the WRT55AG is crashing and suffering from various problems because of some hostile internet packets. Effectively it suffers major security issues and a denial of service from something that is present from the internet. I did not isolate what ports+packets were causing the DOS condition.
  Im sure the WRT55AG has some code that is vulnerable to attack because it crashes when exposed to the net. This is a serious issue.
  This is a sad state of affairs. I paid good money for the router. Its too late to get my money back. I would settle for a 802.11A WAP.
  I want a *FIX* for the obvious security hole that could expose anyone on the LAN side of the wrt55AG router to attack if the router/firewall is compromised. I want my WRT55AG to work as intended or at least as well as the BEFSR41 I own.
  I also feel if the source code was still open, then these problems would not exist. At the very least, some other 3rd party version of firmware would be available that would work in the router and any issue would get prompt attention and a quick solution from a open source team. The decision by Linksys to move away from open source firmware will erode the quality of the brand by making products less reliable.
  WHEN will a new version of the firmware be available for the WRT55AG ?
  If not how do I go about returning a well documented defectively engineered product for a product that works ?

  I would like to see a update to fix the various issues with this router. When will this be available ?
  -OR-
  If this product is considered End Of Life, I would like to get confirmation that no future firmware update will occur.
  As this product was defective out of the box and has never been fixed, I would like a replacement product please. My serial number is # MDJ106802225
  Message Edited by Xymox on 08-13-2008 11:28 AM

• CSCum96401 - Cisco ASA IKEv2 Denial of Service Vulnerability

  Hi Everyone,
  ASA is configured with ikev2 and below is config
  5520# show running-config crypto ikev2 | include enable
  crypto ikev2 enable outside client-services port 443
  5520# show running-config crypto map | include interface
  crypto map outside_map interface outside
  I checked below weblink
  CSCum96401 - Cisco ASA IKEv2 Denial of Service Vulnerability
  Not Affected
  Not Affected
  Not Affected
  8.4(7.15)
  Not Affected
  8.6(1.14)
  Not Affected
  9.0(4.8)
  9.1(5.1)
  Not Affected
  Not Affected
  https://tools.cisco.com/bugsearch/bug/CSCum96401
  ASA which i am running has version Cisco Adaptive Security Appliance Software Version 8.4(7)
  sh flash shows
  asa847-k8.bin
  Need to confirm if my ASA is not effected by this bug?
  Regards
  MAhesh

  Hi Mahesh,
  Your ASA code  (asa847-k8.bin) is affected by this Bug, recommended release is 8.4(7.23) and later.
  this bug is first fixed in 8.4(7.15).
  Thanks,
  Prashant Joshi

• Microsoft security Advisory 2028859

  A serious security flaw has been found in Windows 7 systems running Aero.Untill microsoft releases a security patch users can disable the Aero theme to  prevent the issue from being exploited.
  To disable Windows Aero by changing the theme, perform the following steps for each user on a system:
  Click Start, select the Control Panel, and then click on Appearance and Personalization.
  Under the Personalization category, click on Change the Theme.
  Scroll to the bottom of the listed themes and select one of the available Basic and High Contrast Themes.
  For further information go through the below given link 
  http://www.microsoft.com/technet/security/advisory/2028859.mspx
  The above mentioned vulnerability only affects Windows 7 and Windows server 2008 R2 users.
  Cheers and regards,
  • » νιנαｿѕαяα∂нι ѕαмανє∂αм ™ « •
  ●๋•کáŕádhí'ک díáŕý ツ
  I am a volunteer here. I don't work for Lenovo

  Here is more information on Microsoft security advisory 2269637, mitigating it from Cisco devices:
  Vulnerability alert: http://tools.cisco.com/security/center/viewAlert.x?alertId=21268
  Mitigation buletin: http://tools.cisco.com/security/center/viewAlert.x?alertId=22317
  All security related advisories for cisco can be found from the Cisco SIO (Security Intelligence Operations):
  http://tools.cisco.com/security/center/home.x
  Hope that helps.

• How to remove "TCP Sequence Number Approximation Based Denial of Service" vulnrability ???

  Hi Friends,
  In our weekly security scan , following vulnrability has been detected "TCP Sequence Number Approximation Based Denial of Service" . could you please any one let us know , hot to remove or mitigate this vulnrability ???
  Thanks!

  Hello,
  Please provide more details, specifically the 'port(s)' involved, the target service if known, the scanner in question, the version of ESXi scanned.
  I.e. all ports, general, Nessus, ESXi 5.x
  Best regards,
  Edward L. Haletky
  VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
  Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
  Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

• Microsoft Security Advisory (2269637)

  Microsoft Security Advisory (2269637)
  Insecure Library Loading Could Allow Remote Code  Execution
  This  vulnerability came out in August and is there a signature that will cover this in the ips and if not is there an idea if one is being reviewed?

  Here is more information on Microsoft security advisory 2269637, mitigating it from Cisco devices:
  Vulnerability alert: http://tools.cisco.com/security/center/viewAlert.x?alertId=21268
  Mitigation buletin: http://tools.cisco.com/security/center/viewAlert.x?alertId=22317
  All security related advisories for cisco can be found from the Cisco SIO (Security Intelligence Operations):
  http://tools.cisco.com/security/center/home.x
  Hope that helps.

• Security Advisory 3046310 - Managing Updates

  Just took at look at Security Advisory 3046310 (
  https://technet.microsoft.com/en-us/library/security/3046310.aspx ). It says that Windows 8/2012 will update automatically. I've checked a few machines and don't see the update yet in the Certs mmc. As for Windows 7 and Server 2008, I'm guessing I should
  apply the update in kb2677070.
  We manage our systems with SCCM 2012 and are looking for some guidance on using those tools for this Bulletin if possible.
  Orange County District Attorney

  Hi,
  According to Microsoft Security Advisory 3046310:
  for Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2 systems, you can check the Application log in the Event Viewer for an entry with the following values:
  Source: CAPI2
  Level: Information
  Event ID: 4112
  Description: Successful auto update of disallowed certificate list with effective date: Monday, December 5, 2013 (or later).
  Have you seen this event logged on these machines?
  If not, please ensure that these machines are connecting to Internet. In addition, ports TCP 80 and TCP 443 need to be open.
  Microsoft Security Advisory 3046310
  https://technet.microsoft.com/en-us/library/security/3046310.aspx?f=255&MSPPError=-2147217396
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• Security advisory for ASA

  Greeting
  On cisco security advisory (http://www.cisco.com/en/US/products/products_security_advisory09186a0080a994f6.shtml) said the recommended version for 7.2 is 7.2(4)30.
  Could anyone advice me about the 7.2(4)30. I know the version like 7.2(4), not 7.2(4)30. what the 30 means?
  Any comments will be appreciated
  Thanks in advance

  Julie
  I was puzzled for a bit about where to get this software that provides fixes for these vulnerabilities. But then I figured it out. If you look in the advisory that is a section with title:
  Software Versions and Fixes
  and if you look in that section you will find this explanation:
  Fixed Cisco ASA software can be downloaded from:
  http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
  The fixed software/interim releases are available through that link.
  Note that the advise in the section Customers with Service Contracts about obtaining fixed software does not point you in the right direction and the fixed software is not available through the link that it provides.
  HTH
  Rick

• HT5312 I am trying to reset my security questions, I cannot locate the option for a rescue email address with My Apple Id. When I click on the button to reset the security questions, it states it is sending an email to the primay email address, but it doe

  I am trying to reset the Security Questions as I have forgotten them, when I have logged into My Apple Id, and click on the button to reset the Security Questions, it states it is sending an email to the Primary Email address. I do not have the option to input a Rescue Email address, the only option I have is to input an Alternate Email address, which I have done so.
  Also when I have tried to book an appointment throuth Online Support, I have not successful, I have rung a telephone number provided by the Mac Store in Perth, Australia and the reply provided is that we are closed. I was given to understand that Apple provided 24/7 Support to their users.

  Hot N Spicy wrote:
  I am trying to reset the Security Questions as I have forgotten them,
  Forgotten Security Questions / Answers...
  See Here > Apple ID: Contacting Apple for help with Apple ID account security
            Ask to speak with the Account Security Team...
  Or Email Here  >  Apple  Support  iTunes Store  Contact
  More Info >  Apple ID: All about Apple ID security questions
  Note:
  You can only set up and/or change a Rescue Email Before you forget the questions/answers