Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

[Garry]

Hi,
> On Wed, 2016-02-10 at 08:06 -0800, ps...@cisco.com wrote:
>> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer
>> Overflow Vulnerability
>>
>> Advisory ID: cisco-sa-20160210-asa-ike
> Poor bastards stuck at 8.2 (like us) might be relieved to know that
> there actually is a 8.2(5)59 version with the fix. Reading the SA page
> I got the impression that there was no fixed software for 8.2(5).
Thanks for the find, same situation we were in (well, several of our
customers rather) - reading the advisory, it clearly states anything 8.x
except 8.4 is recommended to go to 9.1 (yeah, right! Not opening that
can^H^H^H crate of worms! Or more like Pandora's box?). Apart from at
least one system that only has 256M of RAM (and therefore can't go to
anything higher than 8.2 AFAIK), even going to the mentioned 8.4.7(30)
caused some problems due to incorrectly (or incomplete) config migration
for several systems ... of course it could be fixed, but still ...
And yes, the systems should be kept more current, but seeing what
happens when you do update more or less confirms the old saying "never
change a running system" ... sadly ...

Still, if Cisco publishes an interim that fixes this disastrous flaw and
is not at least following up on their announcement (8.2.5(59) was
released 3 days after the initial notification was published), it's sort
of a pain for users ... even the advisory on the web page hasn't been
updated to at least list the option of using the interim ... :(

-garry

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

[Alexander Bochmann]

...on Mon, Feb 15, 2016 at 07:50:36PM +0100, Peter Rathlev wrote:
 > On Wed, 2016-02-10 at 08:06 -0800, ps...@cisco.com wrote:
 > > Advisory ID: cisco-sa-20160210-asa-ike
 > Poor bastards stuck at 8.2 (like us) might be relieved to know that
 > there actually is a 8.2(5)59 version with the fix. Reading the SA page
 > I got the impression that there was no fixed software for 8.2(5).

Oh wow, now that's massively annoying... Adding that little piece 
of information to the advisory would have saved us from a quite a 
bit of rather troublesome emergency migration work this weekend.

I also think it's somewhat surprising how little buzz this creates, 
for a remote shell exploit in one of the major firewall systems, 
as detailed in https://blog.exodusintel.com/2016/02/10/firewall-hacking/

Is everyone waiting for a Metasploit module to show up?

Alex.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

[Nick Cutting]

Thank you

Upgraded )

From: vinny_abe...@dell.com [mailto:vinny_abe...@dell.com]
Sent: 15 February 2016 22:32
To: dwhit...@cisco.com; Nick Cutting; pe...@rathlev.dk; 
cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and 
IKEv2 Buffer Overflow Vulnerability


FWIW, I believe the ASA 5505, 5510, 5520, 5540, and 5550's have always been the 
identical images, with the exception of the 5505's also supporting 9.2.x.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David 
White, Jr. (dwhitejr)
Sent: Monday, February 15, 2016 3:56 PM
To: Nick Cutting ; Peter Rathlev ; 
cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and 
IKEv2 Buffer Overflow Vulnerability

The non -smp image is also posted (for the 5505). Look on the 5505 download 
page under:

All Releases
--> Interim
--> 8
--> 8.2.5 Interim

Sincerely,

David.


On 2/15/16 3:43 PM, Nick Cutting wrote:
> This is best news I've heard all day. Was going to have to move 55 VPNs by 
> hand..
>
> I have this for the 5510 - I cannot see a release for the 5505 - will this 
> also be coming?
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf
> Of Peter Rathlev
> Sent: 15 February 2016 18:51
> To: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1
> and IKEv2 Buffer Overflow Vulnerability
>
> On Wed, 2016-02-10 at 08:06 -0800, ps...@cisco.com 
> wrote:
>> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer
>> Overflow Vulnerability
>>
>> Advisory ID: cisco-sa-20160210-asa-ike
> Poor bastards stuck at 8.2 (like us) might be relieved to know that there 
> actually is a 8.2(5)59 version with the fix. Reading the SA page I got the 
> impression that there was no fixed software for 8.2(5).
>
> Kudos to Cisco for releasing a fixed version of something that old.
> :-)
>
> (And yes, upgrading to 8.4(7)30 and onwards is in the pipeline, we
> just need one small round tuit and we're there.)
>
> --
> Peter
> ___
> cisco-nsp mailing list 
> cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list 
> cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list 
cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

[Vinny_Abello]

FWIW, I believe the ASA 5505, 5510, 5520, 5540, and 5550's have always been the 
identical images, with the exception of the 5505's also supporting 9.2.x.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David 
White, Jr. (dwhitejr)
Sent: Monday, February 15, 2016 3:56 PM
To: Nick Cutting ; Peter Rathlev ; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and 
IKEv2 Buffer Overflow Vulnerability

The non -smp image is also posted (for the 5505). Look on the 5505 download 
page under:

All Releases
--> Interim
--> 8
--> 8.2.5 Interim

Sincerely,

David.


On 2/15/16 3:43 PM, Nick Cutting wrote:
> This is best news I've heard all day. Was going to have to move 55 VPNs by 
> hand..
>
> I have this for the 5510 - I cannot see a release for the 5505 - will this 
> also be coming?
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf
> Of Peter Rathlev
> Sent: 15 February 2016 18:51
> To: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1
> and IKEv2 Buffer Overflow Vulnerability
>
> On Wed, 2016-02-10 at 08:06 -0800, ps...@cisco.com wrote:
>> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer
>> Overflow Vulnerability
>>
>> Advisory ID: cisco-sa-20160210-asa-ike
> Poor bastards stuck at 8.2 (like us) might be relieved to know that there 
> actually is a 8.2(5)59 version with the fix. Reading the SA page I got the 
> impression that there was no fixed software for 8.2(5).
>
> Kudos to Cisco for releasing a fixed version of something that old.
> :-)
>
> (And yes, upgrading to 8.4(7)30 and onwards is in the pipeline, we
> just need one small round tuit and we're there.)
>
> --
> Peter
> ___
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

[David White, Jr. (dwhitejr)]

The non -smp image is also posted (for the 5505).  Look on the 5505 
download page under:


All Releases
 --> Interim
--> 8
   --> 8.2.5 Interim

Sincerely,

David.


On 2/15/16 3:43 PM, Nick Cutting wrote:

This is best news I've heard all day.  Was going to have to move 55 VPNs by 
hand..

I have this for the 5510 - I cannot see a release for the 5505 - will this also 
be coming?

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter 
Rathlev
Sent: 15 February 2016 18:51
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and 
IKEv2 Buffer Overflow Vulnerability

On Wed, 2016-02-10 at 08:06 -0800, ps...@cisco.com wrote:

Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer
Overflow Vulnerability

Advisory ID: cisco-sa-20160210-asa-ike

Poor bastards stuck at 8.2 (like us) might be relieved to know that there 
actually is a 8.2(5)59 version with the fix. Reading the SA page I got the 
impression that there was no fixed software for 8.2(5).

Kudos to Cisco for releasing a fixed version of something that old. :-)

(And yes, upgrading to 8.4(7)30 and onwards is in the pipeline, we just need 
one small round tuit and we're there.)

--
Peter
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

[Nick Cutting]

This is best news I've heard all day.  Was going to have to move 55 VPNs by 
hand..

I have this for the 5510 - I cannot see a release for the 5505 - will this also 
be coming?

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter 
Rathlev
Sent: 15 February 2016 18:51
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and 
IKEv2 Buffer Overflow Vulnerability

On Wed, 2016-02-10 at 08:06 -0800, ps...@cisco.com wrote:
> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer 
> Overflow Vulnerability
> 
> Advisory ID: cisco-sa-20160210-asa-ike

Poor bastards stuck at 8.2 (like us) might be relieved to know that there 
actually is a 8.2(5)59 version with the fix. Reading the SA page I got the 
impression that there was no fixed software for 8.2(5).

Kudos to Cisco for releasing a fixed version of something that old. :-)

(And yes, upgrading to 8.4(7)30 and onwards is in the pipeline, we just need 
one small round tuit and we're there.)

--
Peter
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

[Peter Rathlev]

On Wed, 2016-02-10 at 08:06 -0800, ps...@cisco.com wrote:
> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer
> Overflow Vulnerability
> 
> Advisory ID: cisco-sa-20160210-asa-ike

Poor bastards stuck at 8.2 (like us) might be relieved to know that
there actually is a 8.2(5)59 version with the fix. Reading the SA page
I got the impression that there was no fixed software for 8.2(5).

Kudos to Cisco for releasing a fixed version of something that old. :-)

(And yes, upgrading to 8.4(7)30 and onwards is in the pipeline, we just
need one small round tuit and we're there.)

-- 
Peter
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TX low alarm warning

[A . L . M . Buxey]

Hi,

> For some reason especially on 4500X 3.7 code we have also seen this message
> on ports which are left no shut, and they have an SFP in it. It was
> seriously polluting our logs so we wrote this:

+1

> logging discriminator LOGFILTER mnemonics drops
> SFF8472-5-THRESHOLD_VIOLATION
> logging host x.y.z.w discriminator LOGFILTE
> logging host x.y.z.q discriminator LOGFILTE
> logging console discriminator LOGFILTER

and +2 for that recipe :-)

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TX low alarm warning

[Pavel Skovajsa]

For some reason especially on 4500X 3.7 code we have also seen this message
on ports which are left no shut, and they have an SFP in it. It was
seriously polluting our logs so we wrote this:

logging discriminator LOGFILTER mnemonics drops
SFF8472-5-THRESHOLD_VIOLATION
logging host x.y.z.w discriminator LOGFILTE
logging host x.y.z.q discriminator LOGFILTE
logging console discriminator LOGFILTER

-pavel

On Mon, Feb 15, 2016 at 1:33 PM, Jim Glassford  wrote:

> Hi,
>
> The few I've had were fiber strand related, a poorly seated or dirty patch
> cord connection.
>
> best!
> jim
>
>
> On 2/15/2016 6:43 AM, Harry Hambi - Atos wrote:
>
>> Hi all,
>> Getting the following error Jan 27 04:06:25.811 GMT:
>> %SFF8472-5-THRESHOLD_VIOLATION: Te4/1: Tx power low alarm; Operating value:
>> -40.0 dBm, Threshold value: -12.2 dBm. Does this point to a fibre or gbic
>> error?. Any suggestions appreciated. Other end of link not alarming.
>>
>>
>> Rgds
>> Harry
>>
>> Harry Hambi BEng(Hons)  MIET  Rsgb
>>
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TX low alarm warning

[Jim Glassford]

Hi,

The few I've had were fiber strand related, a poorly seated or dirty 
patch cord connection.


best!
jim

On 2/15/2016 6:43 AM, Harry Hambi - Atos wrote:

Hi all,
Getting the following error Jan 27 04:06:25.811 GMT: 
%SFF8472-5-THRESHOLD_VIOLATION: Te4/1: Tx power low alarm; Operating value: 
-40.0 dBm, Threshold value: -12.2 dBm. Does this point to a fibre or gbic 
error?. Any suggestions appreciated. Other end of link not alarming.


Rgds
Harry

Harry Hambi BEng(Hons)  MIET  Rsgb

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TX low alarm warning

[Shawn Laemmrich]

I've seen it with a bad gbic / sfp as well.  All you can really do is start
checking.  Fiber, jumpers, etc.

On Mon, Feb 15, 2016 at 6:51 AM, Karsten Thomann 
wrote:

> Usually it is caused by a broken fiber, but you will never know for sure
> until you checked it.
>
> Gesendet von meinem BlackBerry
>   Originalnachricht
> Von: Harry Hambi - Atos
> Gesendet: Montag, 15. Februar 2016 12:44
> An: 'cisco-nsp@puck.nether.net'
> Betreff: [c-nsp] TX low alarm warning
>
> Hi all,
> Getting the following error Jan 27 04:06:25.811 GMT:
> %SFF8472-5-THRESHOLD_VIOLATION: Te4/1: Tx power low alarm; Operating value:
> -40.0 dBm, Threshold value: -12.2 dBm. Does this point to a fibre or gbic
> error?. Any suggestions appreciated. Other end of link not alarming.
>
>
> Rgds
> Harry
>
> Harry Hambi BEng(Hons) MIET Rsgb
>
> ___
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TX low alarm warning

[Karsten Thomann]

Usually it is caused by a broken fiber, but you will never know for sure until 
you checked it.

Gesendet von meinem BlackBerry
  Originalnachricht  
Von: Harry Hambi - Atos
Gesendet: Montag, 15. Februar 2016 12:44
An: 'cisco-nsp@puck.nether.net'
Betreff: [c-nsp] TX low alarm warning

Hi all,
Getting the following error Jan 27 04:06:25.811 GMT: 
%SFF8472-5-THRESHOLD_VIOLATION: Te4/1: Tx power low alarm; Operating value: 
-40.0 dBm, Threshold value: -12.2 dBm. Does this point to a fibre or gbic 
error?. Any suggestions appreciated. Other end of link not alarming.


Rgds
Harry

Harry Hambi BEng(Hons) MIET Rsgb

___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] TX low alarm warning

[Harry Hambi - Atos]

Hi all,
Getting the following error Jan 27 04:06:25.811 GMT: 
%SFF8472-5-THRESHOLD_VIOLATION: Te4/1: Tx power low alarm; Operating value: 
-40.0 dBm, Threshold value: -12.2 dBm. Does this point to a fibre or gbic 
error?. Any suggestions appreciated. Other end of link not alarming.


Rgds
Harry

Harry Hambi BEng(Hons)  MIET  Rsgb

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASR1002-X Licensing Question

[James Bensley]

On 15 February 2016 at 04:24, Troy Boutso  wrote:
> I understand I couldn't lodge cases to the TAC etc or get any support for
> anything operating within the confines of the RTU licensing but I am more
> intersted in this for LAB/Personal use to stress test equipment out of
> production.


If you want this for lab use, Cisco do "not for resale" pricing which
is what we use when purchasing lab gear. Their "not for resale"
program (which in our case since we are a SP not a hardware
distributer) means the kit is not used to generate revenue (it is not
deployed in our live network). NFR gives a hefty discount from list
price.

Cheers,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/