Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2166
Views
5
Helpful
19
Replies

ASA ssh timeout vulnerability

Christian Jorge
Level 1
Level 1

‎02-21-2013 10:08 AM - edited ‎03-11-2019 06:03 PM

Hello

Is there anyone that face this recent vulnerability?

http://tools.cisco.com/security/center/viewAlert.x?alertId=27927

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtc59462

My understanding is that for ASA 8.4.1 and prior, there's a vulnerability that opening many ssh sessions and one of them times out, the firewalls crashes!

As we have many customers with ASA using 8.2.5(26) (for example) I'd like a confirmation that for fixing that bug I need to upgrade my ASA image to at least 8.4.x.

Case that, I believe that all the former firewall configuration must be reviewed because 8.2.x version has many different commands that 8.4.x (for example, NAT)

Hope that Cisco provide a patch for 8.2.x versions

Labels:
0 Helpful
19 Replies 19

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Christian Jorge

‎04-09-2013 09:31 AM

Zero-downtime it's exclusive for FAILOVER, if you do not have a failover pair then you should not consider that.

I mean zero-downtime with a single unit will never happen ( the unit MUST be rebooted)

The document refers to 8.3 and higher versions, I highly recommend to avoid the 8.3 track and I can ensure you my colleagues at TAC will do the same,

So go from 8.2 to 8.4.5(6) directly, the migration should happen

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Christian Jorge
Level 1
Level 1
In response to Julio Carvajal

‎04-09-2013 10:30 AM

Good Morning JCarvaja

Considering your recommendation (and probably, as you told, Cisco TAC recommendation) is there any trap or recommendation regarding my configuration?

- 2 firewall ASAs as failover active-standby

- names configured

- no nat-control

- IPSec VPN client-to-gateway and gateway-to-gateway, client-to-gateway authentication by AAA LDAP server

- some static router with tracking (no dynamic routing)

- no specific policy-maps (only default)

- NATs: exempt for VPNs, policy PAT, usual static and policy static.

- outside to inside access-list rules with mapped IPs in destination (usual for static NATs in 8.2 version)

Is there any impact regarding inputing "no names"?

Is there any inconsistency regarding failover with 8.2 and 8.4.5 for a while during migration?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Christian Jorge

‎04-09-2013 02:02 PM

Is there any impact regarding inputing "no names"?

Negative, not at all.. All positive as we are not longer using it on the newer versions

Is there any inconsistency regarding failover with 8.2 and 8.4.5 for a while during migration?

As long as you proceed with a zero-downtime failover you should be good.

Make sure the NAT exemption rules are as specific as possible

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Christian Jorge
Level 1
Level 1
In response to Julio Carvajal

‎04-10-2013 10:32 AM

Any concern or recommendation regarding outside to inside access-list rules with mapped IPs in destination or the mapped (static NAT'ed) destination is converted automatically to real IP destination based on the former static rule ?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Christian Jorge

‎04-10-2013 10:43 AM

Hello Christian,

Nope, just remember to make the nat exemption rules are specific as possible ( try not to overlap ) and you should be fine

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top