Showing posts with label cisco. Show all posts
Showing posts with label cisco. Show all posts
Two cool new exploits have been released complete with cool names and graphics. Welcome Meltdown and Spectre, these critical vulnerabilities exploit pretty much all modern processors. Even though these hardware vulnerabilities have been around forever, four independent groups of researchers discovered these vulnerabilities simultaneously. Meltdown and Spectre at a high level allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. But what about our network and security equipment using modern processors, are they vulnerable? Below is a list I put together of links to vendors sites and their responses to the vulnerabilities. I imagine most of them will keep these pages up to date as they discover new information. This is a complicated and low level issue so most vendors are going to need time to really evaluate their products and create patches.
Luckily in most cases it is an attack that is performed through the management access, so if you follow the best practice of limiting device management access from only trusted IPs or networks you should be good until the patches are released.
PaloAlto Networks
"Our initial review of the vulnerabilities disclosed in the research concludes that all PAN-OS/Panorama platforms are not directly impacted by these attacks. There are no immediate plans to release a software update to PAN-OS in response to these issues at this time"F5
"ImpactFor products with None in the Versions known to be vulnerable column, there is no impact. For products with ** in the various columns, F5 is still researching the issue and will update this article after confirming the required information. F5 Technical Support has no additional information about this issue.
BIG-IP
All three vulnerabilities require an attacker capable of providing and running binary code of their choosing on the BIG-IP platform. This raises a high bar for attackers attempting to target BIG-IP systems over a network and would require an additional, un-patched, user-space remote code execution vulnerability to exploit these new issues. The only administrative roles on a BIG-IP system that can execute binary code or exploitable analogs, such as JavaScript, are the Administrator and Resource Administrator roles. These users already have nearly complete access to the system and all secrets on the system not protected by hardware-based encryption. F5 believes that the attack with the highest impact may occur in multi-tenancy Virtual Clustered Multiprocessing (vCMP) configurations, running single-core guests owned by different administrative domains on a single BIG-IP system. In this scenario, Spectre Variant 2 may allow an attacker in one administrative domain to collect privileged information from the host or guests owned by another administrative domain, if the attacker's guest is configured as a single-core guest. The BIG-IP system always maps both hyper-threads of a given core to any guest with the "Cores Per Guest" configuration set to 2 or more, but single-core guests may execute on the same processor core as another single-core guest or host code. This threat may be mitigated by setting the "Cores Per Guest" configuration to 2 or more for all guests."
Cisco
"Cisco is investigating its product line to determine which products may be affected by these vulnerabilities. As the investigation progresses, Cisco will update this advisory with information about affected products, including the Cisco bug ID for each affected product."Juniper
"Juniper SIRT is actively investigating the impact on Juniper Networks products and services.”Brocade
Citrix/Netscaler
"Citrix NetScaler SDX: Citrix believes that currently supported versions of Citrix NetScaler SDX are not at risk from malicious network traffic. However, in light of these issues, Citrix strongly recommends that customers only deploy NetScaler instances on Citrix NetScaler SDX where the NetScaler admins are trusted."- Uninstall completely existing VPN client SW
- Download and run this tool for 32-bit system:ftp://files.citrix.com/dneupdate.msi or this one for 64-bit system:ftp://files.citrix.com/dneupdate64.msi
- If you run into issues installing DNE software download and run this tool: ftp://files.citrix.com/winfix.exe and perform step 2 again
- If needed restart system
- Install Cisco VPN client SW again I used version 5.0.07.0440-k9
- Import or configure VPN profile and run software.
Here is a little bit about what the Citrix DNE software is;(http://www.citrix.com/go/lp/dne.html)
Citrix supplies software to a number of software and hardware companies. When they install their products on your systems, they will often contain DNE. DNE extends operating systems and network protocol devices and stacks to introduce measurement and controls. Our customers use these extensions to build products that do things like intrusion detection, VPNs, Network Address Translation (NAT), traffic measurement, response time measurement, bandwidth control, compression, content filtering, content protection, policy management, proxies, billing, packet marking, routing, protocol translation, wireless communication, secure tunnels and much more.
For everyone who has worked on a Cisco ACE you have experienced the pains of troubleshooting, especially in a long complicated config. Often you are reverse engineering from the policy-map multi-match to the r servers and probes to find all the pieces that make up the service. We have asked people within Cisco is there a command that will show everything related to a policy-map multi-match class and the answer has always been no, until recently. A colleague of mine was working with a Cisco TAC engineer via a webex and came across a most useful undocumented command. Here is what the TAC engineer entered:
show run filter policy-map multi-match class name
ex. show run filter L4_SLB_CLASS
This returned most of the associated parts of the service i.e. class-map, load-balance, server-farm, real server etc. Sounds like a dream right? Here is the kicker, I am not sure what platforms are supported. I know it worked on a 4710 appliance running A3 code, but I have attempted it on an ACE 20 module running A2 code and it didn't work. So if anyone has any info about this command send me an email and if I find any more documentation I will link it to this post.


