Two different things
In a recent development of interest to IT security professionals and malicious actors alike, Cisco disclosed the existence of multiple serious security vulnerabilities to their Security Manager, which integrates with several of their product lines, including Cisco ASA and Cisco Firepower. The full list is available on the Github Gist of the engineer responsible for discovering them.
While Noteworthy risks CVE-2020-27125, CVE-2020-27130, have already been patched in v4.22 of the Cisco Security Manager, CVE-2020-27131 is reportedly yet to be resolved according to Help Net Security.
While knowing these about vulnerabilities is one thing, identifying them in your environment and determining the best mitigation strategy is another. Genian NAC is here to help.
In this walkthrough, we will group impacted nodes together, build an enforcement policy to restrict the nodes network access if desired and apply a tag to all patched nodes.
Create a Tag
First, we will create a tag called “Cisco-Patched”, that will later be applied to nodes that we have confirmed as no longer vulnerable. Navigate to Preferences > Tag and use the Tasks menu to Create a new tag.
create a node group
Next, we will create a node group to gather all nodes running Cisco Software. Collecting this information will require installation of the Genians Agent, and configuration of the “Collect Software Information” plugin for Mac or Windows.
Configure the node group as shown, under Policy > Group > Tasks > Create.
You can create separate groups for specific Cisco Software or use one catch-all group as shown. Note the condition to exclude nodes that we have tagged as patched for this vulnerability.
Create an Enforcement Policy
Next, create an Enforcement Policy linked with this group by navigating to Policy > Enforcement Policy > Tasks > Create. If you want, you can configure permission to limit network access for these nodes. In this example, we will use the “Perm-Internet” permission, which will only allow traffic destined for network locations outside of the devices network, where a Genians sensor is not deployed.
With detecting and securing the vulnerable nodes out of the way, you can now focus on your remediation efforts.
Upon updating the software to a secure version, you can exclude nodes by applying the patched tage we created, or you can edit the conditions of the group to exclude specific software versions.