Cisco PSIRT reporting Customers affected by ASA VPN DoS attacks
Patch your firewalls!
2015-July-08 UPDATE: Cisco PSIRT is aware of disruption to some Cisco customers with Cisco ASA devices affected by CVE-2014-3383, the Cisco ASA VPN Denial of Service Vulnerability that was disclosed in this Security Advisory. Traffic causing the disruption was isolated to a specific source IPv4 address. Cisco has engaged the provider and owner of that device and determined that the traffic was sent with no malicious intent. Cisco strongly recommends that customers upgrade to a fixed Cisco ASA software release to remediate this issue.
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
Follow me on twitter @MarkBaggett
Join me for Python SEC573 in Las Vegas this September 14th! Click here for more information.
Comments
1. Cisco comment - "Owner/provider sent traffic with no malicious intent" - Then what actually happened.
2. What is the attack vector - So that we can check for corresponding events(logs) from firewalls.
3. Is that a worldwide attack - According to my information, Asia,America and Europe located devices also got infected.
Regards,
Ran.
Anonymous
Jul 9th 2015
7 years ago
All good questions. I suspect that Cisco saying "Owner/provider sent traffic with no malicious intent" means... "Someone accidentally crashed the ASA stumbling on to this DoS. it wasn't malicious... and don't even THINK it is related to the Stock Exchange or United going down. Dont even think it... did you think it? Dont do it!" Ok Ok.. I am putting a lot of words and sentiment in their comment that they certainly didn't make BUT I imagine they want people to know they didn't learn about this DoS as a result of yesterdays outages.
I don't have have much more information at the moment that will help me answer your other questions but we are keeping an eye on situation.
Thanks for contacting the ISC!
Mark Baggett
Mark
Anonymous
Jul 9th 2015
7 years ago
I personally would not like to accept their determination of non-malicious, if they are not releasing
the major facts, however.
Most likely research, if traffic is coming from a single IP through multiple organizations' ASAs. But
depending on the technical details of the DoS bug, impactful traffic might just occasionally show up
in normal traffic, so DoS might be triggered by coincidence.
Research could take the form of running scanning tools that send some probe packets to random IP addresses,
but could accidentally trigger bugs. Probes do not necessarily look like normal traffic, and might trigger different
bugs. The research traffic might also be unwanted by various networks, so it's kind of like E-mail spam.
That kind of research might be forseeably "risky" for the receiving network, and that is always a risk with any
unauthorized scan/probe, But might be unavoidable without canceling their intended research
that is not specifically designed to cause any DoS.
Anonymous
Jul 9th 2015
7 years ago
[CVE-2014-3383] - A remote user can send specially crafted UDP packets to the target device via IPv4 or IPv6 to trigger a flaw in the IKE implementation and cause the target device to reload.
From the above sentence what I understand is, they need to send specially crafted UDP packets to target device by exploiting flaw in IKE (VPN) –> I don’t think this will happen in accident, if its normal or crafted UDP packet, yes it’s possible. But UDP packet tweaked to exploit IKE needs further specification. And it targeted to worldwide ASA devices, seems bit unreliable.
Regards,
Ran
Anonymous
Jul 9th 2015
7 years ago
According to Cisco sources, it seems message ID: 713903, Can't find a valid tunnel group, aborting and Header invalid, missing SA payload! would be the related events.
But still confusing whether these two packets or particular sessions with 20-30 events in a time interval of 1, 2 hour will do the attack. Or it’s crafted in such a way that a single session is enough to do the job. Because I didn’t see a flood of packets in devices for these exploit.
Thanks,
Ran.
Anonymous
Jul 11th 2015
7 years ago