4 Recommendations for Mitigating Exposure In Response to Cisco ASA and FTD IPSec DoS Vulnerability

On July 15^th, Cisco released a high severity advisory related to Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software affected by an IPSec vulnerability. A remote authenticated attacker, or an unauthenticated attacker that sits between two IPSec peers, can cause an unexpected reload of the affected firewall. Attackers that send malicious packets can trigger the condition, resulting in a denial of service (DoS) condition as the device reloads.

This vulnerability only affects ASA software version 9.16.1 and FTD software version 7.0.0. Additionally, only the Cisco Firepower 2100 series firewall, Firepower NGFW virtual firewall, and ASAv are affected when not running with the Federal Information Processing Standards Publication (FIPS) mode enabled.

IPSec is often used to secure traffic across unmanaged and many times public (e.g., connected to the Internet) transits, and often to destination peer firewalls that are not managed by your organization. As a result, there are multiple factors that come into play when determining risk. Running the affected software comes with a level of risk and exposure that should be reviewed by organizations.

How to Identify if Your Firewalls are Affected?

The following steps can be used to identify if you are affected by this security advisory. As this affects both Cisco ASA and FTD firewalls, specific steps for each firewall are identified.

1. Determine if you have an affected firewall model. Affected models include:
   1. Cisco Firepower 2100 series
   2. Cisco Firepower NGFW virtual
   3. Cisco ASAv
2. Determine if you are running an affected software version
   1. Cisco ASA – At the CLI, issue a “show version” command and identify the current version
   2. Cisco FTD – At the CLI, issue a “show version” command, or in your Cisco Firepower Management Center (FMC), browse to Devices > Device Management and review the Version column
3. Determine if you have the vulnerable features configured
   1. Cisco ASA and FTD – Identify if the crypto map interface or tunnel protection ipsec commands are found in the output of a show running-config
4. Determine if you are running FIPS mode. If you are running FIPS mode, you are not impacted by this vulnerability
   1. Cisco ASA – Identify if you have the fips-enable command in the show running-config
   2. Cisco FTD – Identify if your Platform Settings policy has either the Unified Capabilities Approved Products List (UCAPL) or Common Criteria (CC) modes enabled

4 Recommendations for Mitigating Exposure

Optanix has several recommendations that can help mitigate some level of exposure on your Cisco firewalls. Keep in mind that a device is never 100% safe from a security breach. These recommendations merely outline some of the steps you can take to reduce your exposure and increase security for your network firewalls. Below we describe four recommendations that relate to the features found to be vulnerable in the latest firewall security advisories from Cisco.

Recommendation #1: Patch Your Firewall Immediately

If you are running an affected version of software and have the vulnerable features configured, we recommend reviewing the upgrade path within the advisory. Follow your change management procedures and patch as soon as you can once a target version of software is identified. Our “How to Upgrade Cisco ASA Firewalls” post outlines a simple and effective method for upgrading and verifying Cisco ASA Active/Standby firewall clusters or standalone firewalls.

Recommendation #2: Maintain a Regular and Frequent OS Patching Policy

Maintaining a regular and frequent OS patching policy is an effective proactive measure that you can take to secure your network devices. Hackers will quickly latch on to newly identified vulnerabilities and begin scanning for equipment that is affected whenever a security advisory is released to the public. By having a well-defined patching policy and change management procedure in place, you can narrow the time between when the advisory announcement is made and when your devices are no longer affected.

Recommendation #3: Use a Fault-Tolerant IPSec and Path Design

Although it may not be possible in all circumstances, use a fault tolerant design with your IPSec connections whenever you can. IPSec by itself is not a service critical to your business, rather it is the traffic that is encrypted by IPSec that is critical. You can significantly reduce the impact of this vulnerability if there is an alternative path and IPSec connection that this business-critical traffic can take to reach its destination while the affected IPSec firewall is encountering a failure scenario. The duration of impact can be reduced to the amount of time routing protocols take to reconverge to the alternative path.

Recommendation #4: Identify Third-Party Security Practices

If you are using IPSec with a third party that is outside of your control, ensuring that your firewall is unaffected by this security advisory only represents half of the security review. The DoS condition can still affect your business if a malicious actor were to affect the firewall on the other end of the IPSec connection. It is thus important to have conversations with your partners and vendors around security. Discuss with them what their security practices are and how they enforce these practices. Use questions such as these to guide that discussion:

• Do they regularly review security advisories and if they have affected equipment?
• Do they regularly patch their network devices?
• How do they protect sensitive information contained in their network devices configuration such as certificates and pre-shared keys (e.g., is this information stored in a secure location with limited access provided and is it encrypted)?

Security Assistance

Optanix maintains a security-first culture which we extend to all of our customer engagements. If you would like assistance with reviewing security advisories or implementing best practices, our team of enterprise networking professionals can help you. Optanix customers can get in touch by contacting your customer success manager (CSM) or by opening a service request (ESR) in the Optanix Platform. For prospective clients, please click here to engage with Optanix.