Our security team tested vulnerabilities on ASA 5525-X. Somehow they could display the ios version. This is considered a security risk. Is there any command/settings (similar to encrypting a password) that masks displaying the ios version to outsiders, but of course allows it to insiders? Thanks.
Just a new information received now. They used mainly "Nmap" and "Nessus" as diagnostics tools. With Nmap, it was possible to visualize the ios version according to their claim, caused by current vulnerability (buffer overflow) with ios ver 9.2 (1), which is described in the link below:
・Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability (Cisco Security Advisory) https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150210-asa-ike
We just got their report and 2 log files. They used a bunch of 10 ip addresses to test vulnerabilities and attack the ASAs (main 5525-X, backup 5520). I checked their logs. All these ip addresses were rejected or (ACL) denied by the ASAs. However, there was no version information in the log files. So I have no idea how they could display the ios version, but they said it can be seen over the internet. Our worry is that any attacker (who may guess the internal ip address) may use known vulnerabilities of ios 9.1(2) to attack the ASAs. For this, we need to mask (encrypt?) the ios version to outsiders, and restrict it to only authorized users. They also added that system information, and other important information together with some "unproper page" are unnecessarily publicly displayed (?). They recommended us to properly configure the access control (in order not to publicise these informations to outsiders), upgrade (or downgrade?) the current version to a newer version without vulnerabilities (?), and restrict access to the new ios software service to only authorized users (or service personnel). The original report is in Japanese, so I tried to (literally) convey as much precise information as possible. There was no explanation on how they found these problems. It seems they want some kind of advanced settings to mask (encrypt) critical informations to non-authorized personnel or outsiders. They are probably seeking the impossible but I have no idea. Any help or advice will be highly appreciated. Thanks.
I think it has only way see ios version of your device by using snmp or http access. And this method must be closed for outside connection. I think all outside connection must be controlled by you. Default configuration ASA denied by all low security-level connection.
Can you check access methods to your device ?
Thanks for the contact again. They did port scanning using Nmap and Nessus as main diagnostics tools. It is possible to collect information (traps, etc) via snmp or http. The discovered problems could be related to ios ver.9.1(2) vulnerabilities, that is why they asked us to upgrade using an ios version without vulnerabilities. Do you have any idea ? Thanks.
A lot depends on not only the ASA software release but also your configuration.
Can you tell us if either of the following indicated access is allowed via your outside interface?
show run ssh
show run http
show run snmp
If they scanned your inside interface then they may well get version information if they are coming from an allowed address. I wouldn't characterize that as a vulnerability.
Thank you for the contribution. It seems it is a bug in the ios ver.9.1(2). Cisco recommended the upgrade to ver.9.1(6.11) or higher. The security team used https://153.142.x.x/CSCOSSLC/config-auth in their vulnerability test, and this resulted in the display of an xml source showing the ios ver.9.1(2) on the display. We will try to upgrade then see if it works.
Hi Aydin and Marvin
We could solve the problem by upgrading the ASAs ios version from 9.1(2) to 9.1(6.11). The ios version is no more displayed when trying to access via [ https://153.142.x.x/CSCOSSLC/config-auth ] from outside. It seems it was just a software bug. Thank you for the support.