topic Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell' in Network Security

FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

eeebbunee — Tue, 14 Dec 2021 17:52:40 GMT

Hello All,

Have anyone known about Log4JShell exploit?

This exploit got effected the devices tomcat based as far as I know.

Our company has 3 FTDs and 1 ASA, and just knew that FTD 6.2.3 os is vulnerable.

We are trying to upgrade the version as soon as we can, but not sure which version is reliable for this exploit.

Can anyone tell me about this?

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

Marvin Rhoads — Tue, 14 Dec 2021 18:41:02 GMT

FTD managed by FMC is not vulnerable.

FTD managed by FDM or CDO is vulnerable and there is no patch as of the time of this posting.

The vulnerabilities are tracked in this document which is currently being updated multiple times per day with new information about products confirmed vulnerable or not, the BugID in the former case and - where a patch or pending patch release is identified - the version with the patch.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

OscarS — Wed, 15 Dec 2021 10:13:44 GMT

Hi there,

Random question but is there a way to turn log4j off, disable the expoited mechanism, or indeed do anything other than wait for your FTD firewalls to get expoited in the meantime?

Kind regards,

Oscar

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

eeebbunee — Wed, 15 Dec 2021 14:23:51 GMT

Hello OscarS,

I would like to share this cause we have same concerns. Please see the released article below.

https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/

Our security engineer considered that released Apache version 2.16.0 and sooner will patch for Unifi controller. For the Cisco FTD / ASA deployement, we will wait a little more.

I hope sooner Cisco release the upgraded ios.

Thank you.

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

Marvin Rhoads — Thu, 16 Dec 2021 11:36:17 GMT

Is your FTD firewall FDM-managed? If so, the patch is not yet released (as of 16 December 2021).

If they are FMC-managed (as most are) then they are not vulnerable.

For traffic transiting the firewalls, Cisco released rule updates almost immediately to detect and block attempts to exploit the vulnerability. See this detailed writeup for how to leverage that protection even more:

https://blogs.cisco.com/security/protecting-against-log4j-with-secure-firewall-secure-ips

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

alexbaldwin — Fri, 17 Dec 2021 01:53:40 GMT

So are we saying that we believe FDM managed firewalls can be compromised over their Internet facing port using this vulnerability and there is no work around?

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

Marvin Rhoads — Fri, 17 Dec 2021 12:38:45 GMT

As I understand the vulnerability it requires the device to be accessed via an open interface to exploit it. So as long as your FTD isn't set to allow management via the outside interface (which is generally not recommended) then the vulnerability is only exposed via the management interface which is almost always on an internal protected network.

By the way Cisco has updated the security advisory and is now projecting a hotfix for FDM-managed FTD devices to be released next week as follows:

Cisco Firepower Threat Defense (FTD) managed by Firepower Device Manager (FDM)

CSCwa46963

6.2.3 hotfix (23 Dec 2021)
6.4.0 hotfix (23 Dec 2021)
6.6.5 hotfix (23 Dec 2021)
7.0.1 hotfix (23 Dec 2021)
7.1.0 hotfix (23 Dec 2021)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

alexbaldwin — Fri, 17 Dec 2021 20:38:58 GMT

Marvin,

Thanks for your reply, that is helpful and reasonable. I've tried feeding this answer to Cisco TAC for confirmation but they haven't been willing to state that the box cannot be compromised using the public facing interface. Do you mind me asking what evidence you have seen that the box is not vulnerable on the public side, assuming it is not managed via the public interface? I'm trying to put minds at ease, but Cisco isn't helping me much here.

Thanks

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

Marvin Rhoads — Sat, 18 Dec 2021 01:20:17 GMT

Caveat - I'm not a pen tester or a developer but am reasonable experienced with managing Cisco firewalls and other security products. So the following is my personal understanding...

The CISA guidance is found here:

https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

It states in part:

"Immediate Actions to Protect Against Log4j Exploitation
• Discover all internet facing assets that allow data inputs and use Log4j Java library anywhere in the stack.
• Discover all assets that use the Log4j library.
• Update or isolate affected assets. Assume compromise, identify common post-exploit sources and activity, and hunt for signs of malicious activity.
• Monitor for odd traffic patterns (e.g., JDNI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections)."

(my emphasis added)

We check for an ASA or FTD device's listening ports with "show asp table socket". If it reports no listening ports then it is generally safe to assume that data input is not accepted via any of the data plane (i.e. non-management) interfaces.

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

alexbaldwin — Sun, 19 Dec 2021 22:27:19 GMT

Thanks that sounds right and shows a good answer (no ports).

While I was writing this, I noticed what I think is an update because I didn't see this before in the bug confirming your understanding too.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa46963

Only the FTD-API associated with Firepower Device Manager is vulnerable. This is exposed by default on the management interface and the inside data interface (typically port 2) on devices in the on-device manager mode. This API interface can be disabled by configuration from data-plane interfaces. VPN and other features outside of Firepower Device Manager are not vulnerable. Firepower Management Center managed FTD devices are not vulnerable. Workaround: Access Control can be added to both the management and data-plane interfaces to limit who can call this FTD-API interface removing the risk from external actors.

Thanks

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

Marvin Rhoads — Mon, 20 Dec 2021 01:54:41 GMT

@alexbaldwin thanks for highlighting the updated BugID. That officially confirms what I had surmised with the added bit that the VPN service is not vulnerable. Those bits should help alleviate a lot of concern while we wait for a more comprehensive fix via a patch.

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

amralrazzaz — Mon, 20 Dec 2021 15:10:19 GMT

Normally mgmt interface should be accessing internet to get smartnet license syncing !! please correct me if im wrong!

also im be able to access my FTDASA device remotely but over our secured vpn connection only !

so whats my status now ?

BTW im running 2 ftd device managed by fdm :

Cisco ASA5516-X Threat Defense (75) Version 6.2.2 (Build 81)
Cisco ASA5516-X Threat Defense (75) Version 6.6.1 (Build 91)

please need support to work around and keed my NW safe ? what can i do t?

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

Marvin Rhoads — Mon, 20 Dec 2021 15:21:53 GMT

@amralrazzaz the management interface does access the Internet for Smart license sync, SI updates etc. However it should not be open to incoming traffic initiated from the Internet. That's the primary vector of concern.

The secondary and less concerning vector is from any compromised internal hosts or malicious insiders. You can either accept that risk or implement access control for your management interface while awaiting the pending patch for FTD.

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

amralrazzaz — Mon, 20 Dec 2021 15:45:30 GMT

@Marvin Rhoads

the management interface does access the Internet for Smart license sync, SI updates etc. However it should not be open to incoming traffic initiated from the Internet. That's the primary vector of concern.

May i asked you how to make sure that incoming traffic from internet to mgmt ifc is disabled or block ? how to block incoming and from understanding you keep outgoing traffic for smartnet license and updates!

and as i said i do remote access on ASA using mgmt ifc via company vpn connection! is that consider as incoming traffic to mgmt ifc ?!!

2nd thing what shall i do now till patch is released as i can see they released already hotfix 6.4.0 hotfix (Available) ? how to upload this patch on ASA device? or still not hotfix available till now?

also from inside , i dont have any local asset connect to internet that using apache except ASA DEVICES!? SO IS THAT FINE ?

last this i run this command as per ur recommendations with no result shown as below and what does mean ?

> show asp table socket

Protocol Socket State Local Address Foreign Address

also how to implement access control for your management interface ??steps please

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

Marvin Rhoads — Mon, 20 Dec 2021 16:00:03 GMT

@amralrazzaz you can restrict access to the management interface as explained in the configuration guide here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/fdm/fptd-fdm-config-guide-660/fptd-fdm-system.html#concept_6FFA959431C84299B9EDCF19160266AD

The access to be most concerned about would be from the public Internet - not for you on your VPN connection. Your VPN traffic appears to the management interface after being unencrypted from the VPN tunnel (and still with the inner layer of SSL/TLS encryption used to access FDM).

The (lack of any) output of "show asp table socket" indicates there is not any listening port on the data interfaces.

The just-released hotfix for 6.4.0 only applies to 6.4.0. Other FTD versions will require their own hotfixes which will be released shortly as noted in the security advisory.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

amralrazzaz — Mon, 20 Dec 2021 16:43:12 GMT

@Marvin Rhoads

> show version
-------------------[ Firepower2 ]-------------------
Model : Cisco ASA5516-X Threat Defense (75) Version 6.2.3.3 (Build 76)
> show version
---------------[ Firepower1 ]----------------
Model : Cisco ASA5516-X Threat Defense (75) Version 6.6.1 (Build 91)

I have another question please regarding the OS that is running for both ASA device which mentioned on below
i can see one of them listed on cisco impacted list and one is not !
so according to below impacted list from cisco and my device which running 6.6.1 which is not listed is safe
and nothing to do on it ? or 6.6.1 can be considered as 6.6.0?!
7.1.0
7.0.0
6.7.0
6.6.0
6.5.0
6.4.0
6.3.0
6.2.3

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

Marvin Rhoads — Mon, 20 Dec 2021 16:54:32 GMT

As of this posting, all current 6.6.x releases without the hotfix are vulnerable.

Upgrade to 6.6.5 and then to 6.6.5.1 and then finally install the hotfix for 6.6.5.1 for the best coverage as of this posting.

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

amralrazzaz — Mon, 20 Dec 2021 18:51:24 GMT

@Marvin Rhoads sorry for asking again !

i just dont have time as im outside office for sometime & busy !so can i keep using the current os versions (6.2.3.3 & 6.6.1) for now and install the hotfixes for them once released next 23th of December ! at least to fix this vulnerable issue and later on i ll update both os version ! is that okay ?

also is there simple steps to follow once this hotfix released ? how to import on ASA device ?

as it seems for 6.6.1 that i have is not included on impacted list im not sure if they will release hotfix for it or not !

may i ask you if ill upgrade from 6.6.1 to 6.6.5 or 6.6.5.1 whats the steps to follow and without losing any setup or configurations !!?

is the update from version to version within same 6.6.x make different in the process comparing if i will jump from 6.6.1 to 7.0 for example?

and which one to choose from below :

ASA FirePOWER upgrade
Cisco_Network_Sensor_Upgrade-6.6.5-81.sh.REL.tar

ASA FirePOWER module install package
asasfr-sys-6.6.5-81.pkg

ASA FirePOWER module boot image
asasfr-5500x-boot-6.6.5-2.img

thanks a lot for help dear

Re: FTD/ASA upgrade version to prevent Exploit 'Log4JShell'

Marvin Rhoads — Mon, 20 Dec 2021 19:18:01 GMT

Hotfix and upgrade instructions are the same and are linked in the earlier document I posted.

Neither one will cause the devices to lose any configuration. If you have an HA pair, you can do it with no downtime but should still work within an approved maintenance window if you are supporting production customers. If there is no HA pair, an upgrade will require an outage when the device enters maintenance mode to replace system files and run various scripts as part of the upgrade. The outage duration is typically 30-60 minutes per device.

To upgrade, use the file with the word upgrade in it. 🙂