[nsp-sec] Looking for a PoC at AS10439 - CariNet, Inc. - TLP:AMBER
Dario Ciccarone
dciccaro at cisco.com
Thu Jul 9 08:46:48 EDT 2015
Sorry about the delay, Nick - we were busy talking to the relevant
parties, updating our advisory, updating TAC . . .
TLP:AMBER - the fact the devices were crashing would be TLP:GREEN, but
the fact the source of the traffic was AS10439 is TLP:AMBER
Will remember to tag future messages - thanks for bringing it up.
Dario
On 7/8/15 5:31 PM, Nick Hilliard wrote:
> Dario, what's the TLP level on this?
>
> Nick
>
> On 08/07/2015 17:43, Dario Ciccarone wrote:
>> ----------- nsp-security Confidential --------
>>
>>
>>
>> Folks:
>>
>> Hi there. Dario Ciccarone from the Cisco PSIRT here.
>>
>> Starting today, 07/08/2015 on or about 02:00 AM EDT, our Cisco TAC
>> has been receiving a constant flux of cases, about Cisco ASA firewalls
>> crashing and rebooting. As of 12:30 PM EDT, we have about 80 cases -
>> most of them opened within eight hours, and minutes apart - affecting
>> hundreds of devices across different customers.
>>
>> The culprit, based on analysis of the memory dumps on crashed ASAs,
>> seems to be UDP traffic that triggers the vulnerability documented
>> through Cisco bug ID CSCul36176 - which was disclosed through a Cisco
>> Security Advisory on October/2014 -
>> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
>>
>> Based on analysis of the crash information, the traffic seems to be
>> coming from address 71.6.142.125 - allocated to CariNet, Inc.
>>
>>
>> http://whois.arin.net/rest/nets;q=71.6.142.125?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
>>
>> We completely understand this could be spoofed - however, we would
>> like to reach out to CariNet, see if they have any knowledge of this
>> activity.
>>
>> Thanks in advance,
>> Dario
>>
>>
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4376 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20150709/8ed84f0b/attachment.p7s>
More information about the nsp-security
mailing list