Cisco IOS XE Software IPsec VPN Denial of Service Vulnerability

A vulnerability in the hardware crypto driver of Cisco IOS XE Software for Cisco 4300 Series Integrated Services Routers and Cisco Catalyst 9800-L Wireless Controllers could allow an unauthenticated, remote attacker to disconnect legitimate IPsec VPN sessions to an affected device.

The vulnerability is due to insufficient verification of authenticity of received Encapsulating Security Payload (ESP) packets. An attacker could exploit this vulnerability by tampering with ESP cleartext values as a man-in-the-middle.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-vpn-dos-edOmW28Z

Security Impact Rating: Medium

CVE: CVE-2020-3220

Related:

Unable to load host key “/nsconfig/ssh/ssh_host_dsa_key”: invalid format

Regenerate a new ssh dsa key

======================

Delete/Backup existing corrupted dsa private and pub key locate in /nsconfig/ssh/

> rm /nsoconfig/ssh/ssh_host_dsa_key

> rm /nsoconfig/ssh/ssh_host_dsa_key.pub

Generate a new dsa private and pub key.

> ssh-keygen -t dsa

Give same location and name as previous key :: /nsconfig/ssh/ssh_host_dsa_key

> reboot or reload config file with command: /usr/sbin/sshd -f /etc/sshd_config


Another solution is disable dsa ssh key as is not really required since rsa key is present.

=================

Edit file /etc/sshd_config and comment out [#] dsa key line

root@adc# cat /etc/sshd_config

Port 22

#ListenAddress 0.0.0.0

#ListenAddress :: Protocol 2

HostKey /nsconfig/ssh/ssh_host_rsa_key

#HostKey /nsconfig/ssh/ssh_host_dsa_key Safe file

Copy sshd_config to /nsconfig/

> cp /etc/sshd_config /nsconfig/

Reload sshd with command:

> /usr/sbin/sshd -f /nsconfig/sshd_config

Related:

  • No Related Posts

Citrix Hypervisor 7.1 CU2 “This host does not appear to have any network interfaces” during fresh install of XenServer 7.1

During the installation of XS 7.1 CU2 NIC driver not installed / does not work.

Installed CH 8.1 and the driver installed out of the box with no issues.

Error Message: “This host does not appear to have any network interfaces. If interfaces are present you may need to load a device driver on the previous screen for them to be detected.”

Integrated NIC 1: QLogic 2x1GE+2x10GE QL41264HMCU CNA

NIC Slot 7: QLogic 10GE 2P QL41112HxCU-DE Adapter

Related:

  • No Related Posts

Error “No Apps available at this time” on workspace for iOS app after upgrading to ADC 13.0 build 52.24

Version 13.0 build 52.24 do not set pwcount cookie in response to /vpn/index.html request as below.

HTTP/1.1 200 OK

Date: Fri, 08 May 2020 05:19:10 GMT

Server: Apache

X-Frame-Options: SAMEORIGIN

Last-Modified: Fri, 08 May 2020 04:56:44 GMT

Accept-Ranges: bytes

Content-Length: 3674

Cache-Control: no-cache, no-store, must-revalidate

Pragma: no-cache

Expires: 0

Keep-Alive: timeout=15, max=92

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

Set-Cookie: pwcount=0;Secure;HttpOnly;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT

Cache-Control: no-cache

Related:

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software IPv6 DNS Denial of Service Vulnerability

A vulnerability in DNS over IPv6 packet processing for Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to unexpectedly reload, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper length validation of a field in an IPv6 DNS packet. An attacker could exploit this vulnerability by sending a crafted DNS query over IPv6, which traverses the affected device. An exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. This vulnerability is specific to DNS over IPv6 traffic only.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ipv6-67pA658k

This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 12 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2020-3191

Related:

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software SSL/TLS Denial of Service Vulnerability

A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) handler of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust memory resources on the affected device, leading to a denial of service (DoS) condition.

The vulnerability is due to improper resource management for inbound SSL/TLS connections. An attacker could exploit this vulnerability by establishing multiple SSL/TLS connections with specific conditions to the affected device. A successful exploit could allow the attacker to exhaust the memory on the affected device, causing the device to stop accepting new SSL/TLS connections and resulting in a DoS condition for services on the device that process SSL/TLS traffic. Manual intervention is required to recover an affected device.

Cisco has released software updates that address the vulnerability described in this advisory. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-dos-qY7BHpjN

This advisory is part of the May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 12 Cisco Security Advisories that describe 12 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: May 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2020-3196

Related:

  • No Related Posts

Citrix Hypervisor 7.1 CU2 “This host does not appear to have any network interfaces” during fresh install of Xenserv 7.1

During the installation of XS 7.1 CU2 NIC driver not installed / does not work.

Installed CH 8.1 and the driver installed out of the box with no issues.

Error Message: “This host does not appear to have any network interfaces. If interfaces are present you may need to load a device driver on the previous screen for them to be detected.”

Integrated NIC 1: QLogic 2x1GE+2x10GE QL41264HMCU CNA

NIC Slot 7: QLogic 10GE 2P QL41112HxCU-DE Adapter

Related:

  • No Related Posts

Cisco IOS XR Software IPsec Packet Processor Denial of Service Vulnerability

A vulnerability in the IPsec packet processor of Cisco IOS XR Software could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition for IPsec sessions to an affected device.

The vulnerability is due to improper handling of packets by the IPsec packet processor. An attacker could exploit this vulnerability by sending malicious ICMP error messages to an affected device that get punted to the IPsec packet processor. A successful exploit could allow the attacker to deplete IPsec memory, resulting in all future IPsec packets to an affected device being dropped by the device. Manual intervention is required to recover from this situation.

Cisco has released software updates that address the vulnerability described in this advisory. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-ipsec-dos-q8UPX6m

Security Impact Rating: Medium

CVE: CVE-2020-3190

Related:

Can the management centre send a Radius “AVP” to the Radius server?

I need a solution

Hi;

Can the management centre send a Radius attribute “AVP” to the Radius server? I mean in the Radius Authentication Request?  ideally, I would like the Management Centre to send the IP address of the user device supplying the username and password on the Management Centres login page, which in turn will be sent to the Radius server.

So ideally, the MC should send the following to the Radius server:  “username+password+the IP address of the device of the user trying to authenticate”.

Kindly

Wasfi

0

Related: