Cisco ASA5500 Security Updates - cisco-sa-20100217-asa
Last Updated: 2010-02-17 18:56:39 UTC
by Rob VandenBrink (Version: 1)
Tim reports that Cisco has released a security advisory for Cisco ASA5500 products, outlining some security vulnerabilities and resolutions
The issues are:
- TCP Connection Exhaustion Denial of Service Vulnerability
- Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities
- Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
- WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability
- Crafted TCP Segment Denial of Service Vulnerability
- Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
- NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability
All issues are resolved by upgrading to an appropriate OS version, outlined in a table in the advisory. If that is not possible, workarounds for many of these issues are also provided.
Most of these are DOS (Denial of Service) conditions, however the authentication bypass issue is much more serious. If your ASA configuration requires NTLMv1 authentication, then read this advisory closely and upgrade to the appropriate OS version as soon as possible ! A workaround that's not referenced in the Cisco doc is changing to RADIUS authentication in place of NTLMv1. If an OS update is not easy to schedule in the near future, this might be a better approach short term (or even long term) than using NTLMv1.
Find the advisory here ==> http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1910c.shtml
=============== Rob VandenBrink Metafore ===============