topic CVE-2016-1287 Vulnerability in Network Security

CVE-2016-1287 Vulnerability

alfredobosca — Tue, 12 Mar 2019 07:24:29 GMT

Hello,

We have detected the next vulnerability CVE-2016-1287 and Cisco advice upgrade to 9.1 version, but in my case would be so painful (current version still is the 8.2). Whereas, anybody knows if there is any workaround?

Thanks in advance,

Hello,

benjamin.rickert11 — Fri, 26 Feb 2016 16:22:16 GMT

Hello,

referring to

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

Section Workarounds states that there are currently no workarounds.

Regards

Hello Alfredo,

David Castro F. — Sun, 28 Feb 2016 06:39:51 GMT

Hello Alfredo,

There not workarounds either ways, you may just patch the firewalls to the interim version 8.2(5)59, and it will stay in the same 8.2.X series, so your NAT or VPN configs wont change, either ways the best practice is to move to 9.1.7,

If this helped, could you please rate this! let me know if you have further questions on this!

Regards,

David Castro,

Hi,

alfredobosca — Sun, 28 Feb 2016 11:40:36 GMT

Hi,

But the version 8.2(5.59) still not available on cisco website.

Thanks,

Hello Alfredo,

David Castro F. — Sun, 28 Feb 2016 18:03:34 GMT

Hello Alfredo,

Version 8.2(5)59 is available, I actually patched 3 clusters with that interim release yesterday, the image is called asa825-59-k8.bin, and you may find it here:

Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release.

- https://software.cisco.com/download/release.html?mdfid=279916854&flowid=4373&softwareid=280775065&release=8.2.5%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest

If this helped, could you please rate this! let me know if you have further questions on this!

Regards,

David Castro,

Hello,

alfredobosca — Thu, 03 Mar 2016 10:54:58 GMT

Hello,

I have upgrade from 8.2.5 to 8.2(5)59 and all interfaces has been put on shutdown. This behaviour is unusual...

Hello Alfredo,

David Castro F. — Thu, 03 Mar 2016 13:46:45 GMT

Hello Alfredo,

It seems like nothing was saved, since there is not IP address, security level defined.. did you save the configuration before going towards that version? this is really unlikely to happen, and I was going through internal documentation and this seems to be an issue that is completely undocumented, since this was tested in several sandbox environments, is that ASA good of memory? did you do a health check when this occurred? by any chance do you have any syslog server, so we can see what happened at that accurate time? is that the only issue that you are having so far?

Note: An interface will show as shutdown if there are not devices connected to them, so check cabling and that there are devices plugged in and turned on.

Please proceed to rate and mark as correct this post if it helped you! Keep me posted!

Thanks,

David Castro,

Hello,

alfredobosca — Thu, 10 Mar 2016 14:29:12 GMT

Hello,

On the release note indicates that only affects to asa devices with HTTPS inspection. On this case the asa there isn't configured the HTTPS inspection. Should you upgrade the firmware?

Thanks a lot!

according to the release

David Castro F. — Thu, 10 Mar 2016 22:48:36 GMT

according to the release notes of this last interim version, there wont be any other 8.2.X, so the recommended is to have the OS upgraded to 9.X, if this does not involve any memory implications, so for a best practice, you should look forward to upgrade, and make sure the 9.x wont wreck anything in place,

Please proceed to rate and mark as correct this post if it helped you! Keep me posted!

Thanks,

David Castro,