[nsp-sec] Looking for a PoC at AS10439 - CariNet, Inc.
Dario Ciccarone
dciccaro at cisco.com
Wed Jul 8 12:43:20 EDT 2015
Folks:
Hi there. Dario Ciccarone from the Cisco PSIRT here.
Starting today, 07/08/2015 on or about 02:00 AM EDT, our Cisco TAC
has been receiving a constant flux of cases, about Cisco ASA firewalls
crashing and rebooting. As of 12:30 PM EDT, we have about 80 cases -
most of them opened within eight hours, and minutes apart - affecting
hundreds of devices across different customers.
The culprit, based on analysis of the memory dumps on crashed ASAs,
seems to be UDP traffic that triggers the vulnerability documented
through Cisco bug ID CSCul36176 - which was disclosed through a Cisco
Security Advisory on October/2014 -
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
Based on analysis of the crash information, the traffic seems to be
coming from address 71.6.142.125 - allocated to CariNet, Inc.
http://whois.arin.net/rest/nets;q=71.6.142.125?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
We completely understand this could be spoofed - however, we would
like to reach out to CariNet, see if they have any knowledge of this
activity.
Thanks in advance,
Dario
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4376 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20150708/cec86cb7/attachment.p7s>
More information about the nsp-security
mailing list