I received an email from ISS Xforce detailing a vulnerability with PIX vers 6.2.2 with tcp syn packet Denial of Service if ssh or telnet is enabled. They recommend upgrading to 188.8.131.52 which they say is available on the Cisco TAC website. I have looked on the software downloads under the TAC and don't see a reference to that OS. Is this really a vulnerability with the PIX and if so is there another location that we can download the corrected OS?
That ode version is an interim release, not available on CCO. To get it you'll have to open a TAC case and reuqest someone send it to you.
I would get some more information from ISS regarding this vulnerability also and ask the TAc about it. All our security advisories are listed here (http://www.cisco.com/warp/public/707/advisory.html), I don't see one detailing what ISS is talking about.
You should not allow Telnet or SSH from the outside anyway, so unless you've done that you'll be safe (from outside attacks anyway) assuming this is a valid vulnerability.
Actually, it implies all interfaces that SSH or telnet is enabled on. In the workaround section of the actual bugtraq post it suggests "Filter inbound SSH and telnet traffic targeted to the PIX external subnet address and interface address on the upstream router. " The actual test appears to have been against the internal interface but with the above statement I'm guessing that they are saying the external interface is vulnerable as well. I'm still waiting to hear from Cisco about whether they have Bug ID for this or not.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :