Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: InfoSec Handlers Diary Blog - Cisco ASA5500 Security Updates - cisco-sa-20100217-asa InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cisco ASA5500 Security Updates - cisco-sa-20100217-asa

Published: 2010-02-17
Last Updated: 2010-02-17 18:56:39 UTC
by Rob VandenBrink (Version: 1)
0 comment(s)

Tim reports that Cisco has released a security advisory for Cisco ASA5500 products, outlining some security vulnerabilities and resolutions

The issues are:

 

  • TCP Connection Exhaustion Denial of Service Vulnerability
  • Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities
  • Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
  • WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability
  • Crafted TCP Segment Denial of Service Vulnerability
  • Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
  • NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability

All issues are resolved by upgrading to an appropriate OS version, outlined in a table in the advisory.  If that is not possible, workarounds for many of these issues are also provided.

Most of these are DOS (Denial of Service) conditions, however the authentication bypass issue is much more serious.  If your ASA configuration requires NTLMv1 authentication, then read this advisory closely and upgrade to the appropriate OS version as soon as possible !  A workaround that's not referenced in the Cisco doc is changing to RADIUS authentication in place of NTLMv1.  If an OS update is not easy to schedule in the near future, this might be a better approach short term (or even long term) than using NTLMv1.

Find the advisory here ==> http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1910c.shtml

 

=============== Rob VandenBrink Metafore ===============

0 comment(s)
Diary Archives