SANS ISC: Cisco ASA5500 Security Updates - cisco-sa-20100217-asa

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Tim reports that Cisco has released a security advisory for Cisco ASA5500 products, outlining some security vulnerabilities and resolutions

The issues are:

• TCP Connection Exhaustion Denial of Service Vulnerability
• Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities
• Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
• WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability
• Crafted TCP Segment Denial of Service Vulnerability
• Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
• NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability

All issues are resolved by upgrading to an appropriate OS version, outlined in a table in the advisory.  If that is not possible, workarounds for many of these issues are also provided.

Most of these are DOS (Denial of Service) conditions, however the authentication bypass issue is much more serious.  If your ASA configuration requires NTLMv1 authentication, then read this advisory closely and upgrade to the appropriate OS version as soon as possible !  A workaround that's not referenced in the Cisco doc is changing to RADIUS authentication in place of NTLMv1.  If an OS update is not easy to schedule in the near future, this might be a better approach short term (or even long term) than using NTLMv1.

Find the advisory here ==> http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1910c.shtml

=============== Rob VandenBrink Metafore ===============