[181886] in North American Network Operators' Group
Re: Possible Sudden Uptick in ASA DOS?
daemon@ATHENA.MIT.EDU (Dario Ciccarone)
Thu Jul 9 00:09:04 2015
X-Original-To: nanog@nanog.org
Date: Wed, 08 Jul 2015 14:01:56 -0400
From: Dario Ciccarone <dciccaro@cisco.com>
To: Mark Mayfield <Mark.Mayfield@cityofroseville.com>,
"nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <ffc0dc8068ba47c2bdc35184b8301df5@MIEXMBVM1.metro-inet.us>
Errors-To: nanog-bounces@nanog.org
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--F4HTbpFGWUwDgDiMibOfSQEKWVMb6lnT5
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
NANOG members:
Hi there. This is Dario Ciccarone from the Cisco PSIRT - the Product
Security Incident Response Team. This is to acknowledge we're aware of
this issue, and we're working with all the appropriate parties.
Indeed, it seems the culprit is Cisco bug ID CSCul36176 - which was
released as part of the Cisco Security Advisory "Multiple
Vulnerabilities in Cisco ASA Software ", which was published on October
8th, 2014. The full advisory is available at the following URL:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisc=
o-sa-20141008-asa
=20
As I said, the Cisco PSIRT is working with the Cisco Technical
Assistance Center on this matter, and we're analyzing the available
information. The advisory will be updated to reflect the fact we're
seeing active exploitation of this issue.
NANOG members are welcome to contact us at psirt@cisco.com if they
have any additional questions or concerns, or any information relevant
to this issue.
Thanks,
Dario
On 7/8/15 12:58 PM, Mark Mayfield wrote:
> Come in this morning to find one failover pair of ASA's had the primary=
crash and failover, then a couple hours later, the secondary crash and f=
ailover, back to the primary.
>
> Another pair running the same code had the primary crash and fail in th=
e same time window.
>
> So, three crashes in 4 hours in our environment.
>
> Open a TAC case on one of these for post-mortem analysis, and they inte=
rpreted the crash dump to point at a DOS bug first published in Oct.
>
> The very interesting thing; on the phone the TAC engineer said this was=
"the 10th one of these I've dealt with this morning".
>
> Here's the bug they reference:
> https://tools.cisco.com/bugsearch/bug/CSCul36176/?reffering_site=3Ddump=
cr
>
> Anyone else have observations to add on this?
>
> Mark Mayfield
> City of Roseville - AS 54371
> Network Systems Engineer
>
> 2660 Civic Center Drive
> Roseville, MN 55113
> 651-792-7098 Office
>
--F4HTbpFGWUwDgDiMibOfSQEKWVMb6lnT5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAlWdZZUACgkQjJUYH7oa4PCsxQCg7tA0PMFuU8h3zOQkPZrwB938
XxUAoJauBnLRiKXOkgpNmz9CEBgnvzkW
=g0JE
-----END PGP SIGNATURE-----
--F4HTbpFGWUwDgDiMibOfSQEKWVMb6lnT5--
