Really need advice

Hi Guys,


I've been tasked with a right ball ache of a task at work.  Basically they've got a security device than scans and checks for vulnerabilities on all devices in our network.  We've got well over 500 device in our network, and this has highlighted like 20 vulnerabilities for each device (so i've got a huge document of problems to fix).  For example, on one of the devices, the vulnerabilities are listed below.  I really have no idea how to suggest a fix for every vulnerability for every device.  Since most of the devices are Cisco routers that are running 12.4T, we could just upgrade to 15.x and cross our fingers, however we don't have maintence contract so we would have to purchase them.  And they won't purchase them unless I've said it will fix all these problems.  So I'm stuck with what I can do.. Any suggestions?




Cisco IOS Software
Session Initiation Protocol Denial of Service Vulnerabilities
(cisco-sa-20100324-sip)


Cisco IOS Software Multiprotocol Label
Switching Packet Vulnerability (cisco-sa-20100324-ldp)


Cisco IOS Software NAT Skinny Call
Control Protocol Vulnerability (cisco-sa-20100324-sccp)


Cisco IOS Software Crafted TCP Packet
Denial of Service Vulnerability (cisco-sa-20100324-tcp)


Cisco IOS Software Tunnels Vulnerability
(cisco-sa-20090923-tunnels)


Cisco Unified Communications Manager
Express Denial of Service Vulnerabilities (cisco-sa-20100324-cucme)


Cisco IOS Software Session Initiation
Protocol Denial of Service Vulnerabilities (cisco-sa-20100922-sip)


Cisco IOS Software Multicast Source
Discovery Protocol Vulnerability (cisco-sa-20120328-msdp)


Cisco IOS DNS Cache Poisoning
Vulnerability (cisco-sa-20080708-dns) 


Cisco IOS Software Data-Link Switching
Vulnerability (cisco-sa-20110928-dlsw)


Cisco IOS Software Network Address
Translation Vulnerabilities (cisco-sa-20100922-nat)


Cisco IOS SSL VPN Memory Leak Denial of
Service Vulnerability (cisco-sa-20100922-sslvpn)


Cisco IOS Software Crafted Encryption
Packet Denial of Service Vulnerability (cisco-sa-20090923-tls)


Cisco IOS Software H.323 Denial of
Service Vulnerability (cisco-sa-20090923-h323)


Cisco IOS cTCP Denial of Service
Vulnerability (cisco-sa-20090325-ctcp)


Cisco IOS Software WebVPN and SSLVPN
Vulnerabilities (cisco-sa-20090325-webvpn)


Cisco IOS Software Multiple Features IP
Sockets Vulnerability (cisco-sa-20090325-ip)


Cisco IOS IPS Denial of Service
Vulnerability (cisco-sa-20080924-iosips)


Cisco IOS Software Firewall Application
Inspection Control Vulnerability


Cisco IOS Software Multiple Features
Crafted UDP Packet Vulnerability (cisco-sa-20090325-ud)


Cisco IOS Software Session Initiation
Protocol Denial of Service Vulnerability (cisco-sa-20090325-sip)


Cisco IOS Software Authentication Proxy
Vulnerability (cisco-sa-20090923-auth-proxy)


Cisco IOS Software Session Initiation
Protocol Denial of Service Vulnerability(cisco-sa-20090923-sip)


Cisco IOS Software TCP State Manipulation
Denial of Service Vulnerabilities (cisco-sa-20090908-tcp24)


Cisco IOS Software Mobile IP and Mobile
IPv6 Vulnerabilities (cisco-sa-20090325-mobileip)


Cisco IOS Software Secure Copy Privilege
Escalation Vulnerability (cisco-sa-20090325-scp)




 

Comments

  • I am not certain, but I believe you can get some security-related IOS upgrades without a SMARTnet contract. It's probably worth a call to TAC just to see.

  • fc2462fc2462 ✭✭

    It looks like your scan just highlighted all of the PSIRT vulnerabilities based on a particular IOS version.

    If there is no money in the budget to purchase smartnet or software upgrades, then my recommendation is to simply disable as many features as possible.  For example, if a router is not functioning as a voice gateway and SIP features are not enabled, then the vulnerability does not apply.  You may be able to abate 90% of your list by simply showing that the feature or protocol relating to the vulnerability is not enabled.

    Frank

  • I agree, you can download software because of IOS security advisories, you do not need a SMARTnet contract for that.

    Just make sure you lab that upgrade. There are many differences between 12.4 and 15.x, you may end up wishing you had a SMARTNet contract in the end... 

  • When I go through security vulnerabilities, I check which ones affect my network.  For example your first vulnerability lists SIP.  If there is no SIP on your network, it shouldn’t concern you.  I’ve been able to avoid upgrades by paying attention to what the vulnerability is affecting. 

     

    In the Cisco web site, under the security vulnerability they list the ios that will fix the problem, if there is one.  Sometimes there are other workarounds.  You need to look up the security vulnerability on Cisco and it will give you more information about what to do.  You should probably make a spreadsheet and list your devices and list your vulnerabilities that affect you and the ios range that will fix them.  I’m sure you will find that a few IOSs will fix most of them.  It’s best practice to have as few of IOSs across your network as you can, ideally all the same IOS if possible.

     

    Just  a couple ideas.  Hope that helps.

     

    Ken

     

    From: [email protected] [mailto:[email protected]] On Behalf Of sg4rb0
    Sent: Tuesday, July 29, 2014 6:23 AM
    To: Hagen, Ken
    Subject: [CCIE R&S] Really need advice

     

    Hi Guys,


    I've been tasked with a right ball ache of a task at work.  Basically they've got a security device than scans and checks for vulnerabilities on all devices in our network.  We've got well over 500 device in our network, and this has highlighted like 20 vulnerabilities for each device (so i've got a huge document of problems to fix).  For example, on one of the devices, the vulnerabilities are listed below.  I really have no idea how to suggest a fix for every vulnerability for every device.  Since most of the devices are Cisco routers that are running 12.4T, we could just upgrade to 15.x and cross our fingers, however we don't have maintence contract so we would have to purchase them.  And they won't purchase them unless I've said it will fix all these problems.  So I'm stuck with what I can do.. Any suggestions?

    Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities (cisco-sa-20100324-sip)

    Cisco IOS Software Multiprotocol Label Switching Packet Vulnerability (cisco-sa-20100324-ldp)

    Cisco IOS Software NAT Skinny Call Control Protocol Vulnerability (cisco-sa-20100324-sccp)

    Cisco IOS Software Crafted TCP Packet Denial of Service Vulnerability (cisco-sa-20100324-tcp)

    Cisco IOS Software Tunnels Vulnerability (cisco-sa-20090923-tunnels)

    Cisco Unified Communications Manager Express Denial of Service Vulnerabilities (cisco-sa-20100324-cucme)

    Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities (cisco-sa-20100922-sip)

    Cisco IOS Software Multicast Source Discovery Protocol Vulnerability (cisco-sa-20120328-msdp)

    Cisco IOS DNS Cache Poisoning Vulnerability (cisco-sa-20080708-dns) 

    Cisco IOS Software Data-Link Switching Vulnerability (cisco-sa-20110928-dlsw)

    Cisco IOS Software Network Address Translation Vulnerabilities (cisco-sa-20100922-nat)

    Cisco IOS SSL VPN Memory Leak Denial of Service Vulnerability (cisco-sa-20100922-sslvpn)

    Cisco IOS Software Crafted Encryption Packet Denial of Service Vulnerability (cisco-sa-20090923-tls)

    Cisco IOS Software H.323 Denial of Service Vulnerability (cisco-sa-20090923-h323)

    Cisco IOS cTCP Denial of Service Vulnerability (cisco-sa-20090325-ctcp)

    Cisco IOS Software WebVPN and SSLVPN Vulnerabilities (cisco-sa-20090325-webvpn)

    Cisco IOS Software Multiple Features IP Sockets Vulnerability (cisco-sa-20090325-ip)

    Cisco IOS IPS Denial of Service Vulnerability (cisco-sa-20080924-iosips)

    Cisco IOS Software Firewall Application Inspection Control Vulnerability

    Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability (cisco-sa-20090325-ud)

    Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability (cisco-sa-20090325-sip)

    Cisco IOS Software Authentication Proxy Vulnerability (cisco-sa-20090923-auth-proxy)

    Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability(cisco-sa-20090923-sip)

    Cisco IOS Software TCP State Manipulation Denial of Service Vulnerabilities (cisco-sa-20090908-tcp24)

    Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities (cisco-sa-20090325-mobileip)

    Cisco IOS Software Secure Copy Privilege Escalation Vulnerability (cisco-sa-20090325-scp)

     

     




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

    Ken Hagen
    CCIE #56460

  • peetypeety ✭✭✭

    You're not stuck with what you can do, you're stuck with what you know to do.

    As others have mentioned, you can get fixed software (same feature set, and "just new enough" to resolve the issues above) for free.  I've also heard that software is "freely available" once a product goes EOL, but haven't confirmed that.

    Also, you can cross-reference each of these vulnerabilities to see what code version(s) contain the fixes.  You could show management the PSIRT reports (or a summary thereof) showing that the vulnerabilities are fixed in version <blah>, so yes, you really could get them to purchase the software with some proper research.

    Good luck!

  • agree with everyone here, had to go through one of these recently.. just go through everything in list one by one...  do i use msdp? am i running IOS firewall ? etc etc  ,  then adjust the scanner to completely ignore those ones in future scans.  

  • Upgrade it then stop scanning it.

    Thx
    DSU

    On 29 Jul 2014, at 11:22 pm, sg4rb0 <[email protected]> wrote:

    Hi Guys,


    I've been tasked with a right ball ache of a task at work.  Basically they've got a security device than scans and checks for vulnerabilities on all devices in our network.  We've got well over 500 device in our network, and this has highlighted like 20 vulnerabilities for each device (so i've got a huge document of problems to fix).  For example, on one of the devices, the vulnerabilities are listed below.  I really have no idea how to suggest a fix for every vulnerability for every device.  Since most of the devices are Cisco routers that are running 12.4T, we could just upgrade to 15.x and cross our fingers, however we don't have maintence contract so we would have to purchase them.  And they won't purchase them unless I've said it will fix all these problems.  So I'm stuck with what I can do.. Any suggestions?




    Cisco IOS Software
    Session Initiation Protocol Denial of Service Vulnerabilities
    (cisco-sa-20100324-sip)


    Cisco IOS Software Multiprotocol Label
    Switching Packet Vulnerability (cisco-sa-20100324-ldp)


    Cisco IOS Software NAT Skinny Call
    Control Protocol Vulnerability (cisco-sa-20100324-sccp)


    Cisco IOS Software Crafted TCP Packet
    Denial of Service Vulnerability (cisco-sa-20100324-tcp)


    Cisco IOS Software Tunnels Vulnerability
    (cisco-sa-20090923-tunnels)


    Cisco Unified Communications Manager
    Express Denial of Service Vulnerabilities (cisco-sa-20100324-cucme)


    Cisco IOS Software Session Initiation
    Protocol Denial of Service Vulnerabilities (cisco-sa-20100922-sip)


    Cisco IOS Software Multicast Source
    Discovery Protocol Vulnerability (cisco-sa-20120328-msdp)


    Cisco IOS DNS Cache Poisoning
    Vulnerability (cisco-sa-20080708-dns) 


    Cisco IOS Software Data-Link Switching
    Vulnerability (cisco-sa-20110928-dlsw)


    Cisco IOS Software Network Address
    Translation Vulnerabilities (cisco-sa-20100922-nat)


    Cisco IOS SSL VPN Memory Leak Denial of
    Service Vulnerability (cisco-sa-20100922-sslvpn)


    Cisco IOS Software Crafted Encryption
    Packet Denial of Service Vulnerability (cisco-sa-20090923-tls)


    Cisco IOS Software H.323 Denial of
    Service Vulnerability (cisco-sa-20090923-h323)


    Cisco IOS cTCP Denial of Service
    Vulnerability (cisco-sa-20090325-ctcp)


    Cisco IOS Software WebVPN and SSLVPN
    Vulnerabilities (cisco-sa-20090325-webvpn)


    Cisco IOS Software Multiple Features IP
    Sockets Vulnerability (cisco-sa-20090325-ip)


    Cisco IOS IPS Denial of Service
    Vulnerability (cisco-sa-20080924-iosips)


    Cisco IOS Software Firewall Application
    Inspection Control Vulnerability


    Cisco IOS Software Multiple Features
    Crafted UDP Packet Vulnerability (cisco-sa-20090325-ud)


    Cisco IOS Software Session Initiation
    Protocol Denial of Service Vulnerability (cisco-sa-20090325-sip)


    Cisco IOS Software Authentication Proxy
    Vulnerability (cisco-sa-20090923-auth-proxy)


    Cisco IOS Software Session Initiation
    Protocol Denial of Service Vulnerability(cisco-sa-20090923-sip)


    Cisco IOS Software TCP State Manipulation
    Denial of Service Vulnerabilities (cisco-sa-20090908-tcp24)


    Cisco IOS Software Mobile IP and Mobile
    IPv6 Vulnerabilities (cisco-sa-20090325-mobileip)


    Cisco IOS Software Secure Copy Privilege
    Escalation Vulnerability (cisco-sa-20090325-scp)




     



    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Thanks for your help guys. Well, I am officially 15 devices down, 2530 to go.  Oh how I am enjoying this project.  I need my CCIE so I never have to do this shit again.

  • peetypeety ✭✭✭

    Thanks for your help guys. Well, I am officially 15 devices down, 2530 to go.  Oh how I am enjoying this project.  I need my CCIE so I never have to do this *** again.

    90% of what I do at work is software upgrades (although to be technical, lately 80% of that is writing scripts to make them happen automatically).

  • The solution is to get a job someplace that never upgrades hardware, and fears software upgrades and puts them off as long as technically possible.  It cuts way down on hassles like being proactive, plus it allows you to enjoy what I've come to refer to as "reload roulette".  *Then* you never have to deal with that kind of thing again.

Sign In or Register to comment.