[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module Advisory ID: cisco-sa-20121010-asa Revision 1.0 For Public Release 2012 October 10 16:00 UTC (GMT) - -- Summary === Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities: DHCP Memory Allocation Denial of Service Vulnerability SSL VPN Authentication Denial of Service Vulnerability SIP Inspection Media Update Denial of Service Vulnerability DCERPC Inspection Buffer Overflow Vulnerability Two DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAlB1jRsACgkQUddfH3/BbTo1RwD+NHNKsAkrc/dZ+XAhDtqAyVIY xaVp6BpwmKAnBbDtwVQA/jXPlWJbmNmSOiHTAI30KkXahf9Bi9+bIvnQyeUI6aUM =Ncu5 -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module Advisory ID: cisco-sa-20120314-asa Revision 1.0 For Public Release 2012 March 14 16:00 UTC (GMT) +- Summary === Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) are affected by the following vulnerabilities: * Cisco ASA UDP Inspection Engine Denial of Service Vulnerability * Cisco ASA Threat Detection Denial of Service Vulnerability * Cisco ASA Syslog Message 305006 Denial of Service Vulnerability * Protocol-Independent Multicast Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa Note: The Cisco Catalyst 6500 Series Firewall Services Module (FWSM) may be affected by some of the vulnerabilities above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. The FWSM advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-fwsm Affected Products = Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Consult the Software Versions and Fixes section of this security advisory for more information about the affected version. Cisco PIX Security Appliances may be affected by some of the vulnerabilities described in this security advisory. Cisco PIX has reached end of maintenance support. Cisco PIX Security Appliance customers are encouraged to migrate to Cisco ASA 5500 Series Adaptive Security Appliances. Consult the dedicated section for Cisco PIX Security Appliances in the Vulnerable Products section of this security advisory for more information about affected versions. Vulnerable Products +-- For specific version information, refer to the Software Versions and Fixes section of this advisory. Cisco ASA UDP Inspection Engine Denial of Service Vulnerability +-- The Cisco ASA UDP inspection engine that is used to inspect UDP-based protocols contains a vulnerability that could allow a remote unauthenticated attacker to trigger a reload of the Cisco ASA. All UDP protocols that are being inspected by the Cisco ASA UDP inspection engine may be vulnerable. The following protocols are known to use the Cisco ASA UDP inspection engine: * Domain Name System (DNS) * Session Initiation Protocol (SIP) * Simple Network Management Protocol (SNMP) * GPRS Tunneling Protocol (GTP) * H.323, H.225 RAS * Media Gateway Control Protocol (MGCP) * SunRPC * Trivial File Transfer Protocol (TFTP) * X Display Manager Control Protocol (XDMCP) * IBM NetBios * Instant Messaging (depending on the particular IM client/solution being used) Note: UDP inspection engines may be enabled by default on Cisco ASA Software. Please consult your user guide for more information. The default inspected ports are listed at the following link: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_overview.html Note: The Cisco ASA UDP inspection can be applied to non-default UDP ports via class-map and policy-map commands. Any instance of use of the Cisco ASA UDP inspection engines may be vulnerable to this vulnerability, thus, configurations that include non-default UDP ports but use the Cisco ASA UDP inspection engine are considered vulnerable. To determine whether any of the above inspections are enabled, issue the show service-policy | include inspection engine name command and confirm that the command returns output. The following example shows a Cisco ASA configured to inspect IBM NetBIOS traffic: ciscoasa# show service-policy | include netbios Inspect: netbios, packet 0, drop 0, reset-drop 0 Cisco ASA Threat Detection Denial of Service Vulnerability +- The Cisco ASA Threat Detection feature, when configured with the Scanning Threat Mode feature and with shun option enabled, contains a vulnerability that could allow a remote unauthenticated attacker to trigger a reload of the Cisco ASA. This feature is not enabled by default. To determine whether the Cisco ASA Threat Detection with Scanning Threat feature and
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module Advisory ID: cisco-sa-20111005-asa Revision 1.0 For Public Release 2011 October 05 1600 UTC (GMT) + Summary === Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows: * MSN Instant Messenger (IM) Inspection Denial of Service vulnerability * TACACS+ Authentication Bypass vulnerability * Four SunRPC Inspection Denial of Service vulnerabilities * Internet Locator Service (ILS) Inspection Denial of Service vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability may not necessarily be affected by the others. Workarounds for some of the vulnerabilities are provided in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the TACACS+ authentication bypass vulnerability, SunRPC Inspection denial of service (DoS) vulnerabilities and ILS inspection DoS vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110831-fwsm.shtml Affected Products = Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Vulnerable Products +-- For specific version information, refer to the Software Versions and Fixes section of this advisory. MSN IM Inspection Denial of Service Vulnerability + The MSN IM inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances is affected by a DoS vulnerability. MSN IM inspection is not enabled by default. Administrators can enable MSN IM inspection and specify actions when a message violates a parameter, create an IM inspection policy map. You can then apply the inspection policy map when you enable IM inspection, as shown in the following example: policy-map type inspect im MY-MSN-INSPECT parameters match protocol msn-im log ! policy-map global_policy class inspection_default inspect im MY-MSN-INSPECT TACACS+ Authentication Bypass Vulnerability +-- An authentication bypass vulnerability affects the TACACS+ implementation of Cisco ASA 5500 Series Adaptive Security Appliances. In order to enable TACACS+ for authentication, authorization, or accounting (AAA), you must first create at least one AAA server group per AAA protocol and add one or more servers to each group with the aaa-server command. You identify AAA server groups by name. The following example shows how a AAA server group is configured for TACACS+ authentication: aaa-server my-tacacs-sever protocol tacacs+ aaa-server my-tacacs-server (inside) host 203.0.113.11 SunRPC Inspection Denial of Service Vulnerabilities +-- Four DoS vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, issue the show service-policy | include sunrpc command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include sunrpc Inspect: sunrpc, packet 0, drop 0, reset-drop 0 The following configuration commands are used to enable SunRPC inspection in the Cisco ASA. class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... ! service-policy global_policy global ILS Inspection Denial of Service Vulnerability +- A DoS vulnerability affects the ILS inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. ILS inspection is not enabled by default. To check if ILS inspection is enabled, issue the show service-policy | include ils command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include ils Inspect: ils, packet 0, drop 0, reset-drop 0 The following configuration commands are used to enable ILS inspection in the Cisco ASA. class-map inspection_default match default-inspection-traffic ! policy-map global_policy class
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances Advisory ID: cisco-sa-20110223-asa Revision 1.0 For Public Release 2011 February 23 1600 UTC (GMT) +- Summary === Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * Transparent Firewall Packet Buffer Exhaustion Vulnerability * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * Routing Information Protocol (RIP) Denial of Service Vulnerability * Unauthorized File System Access Vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability is not necessarily affected by the others. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by one of these vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerability that affects the Cisco FWSM. That advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20110223-fwsm.shtml. Affected Products = Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software vary depending on the specific vulnerability. Vulnerable Products +-- For specific version information, refer to the Software Versions and Fixes section of this advisory. Transparent Firewall Packet Buffer Exhaustion Vulnerability +-- A packet buffer exhaustion vulnerability affects multiple versions of Cisco ASA Software when a security appliance is configured to operate in the transparent firewall mode. Transparent firewall mode is enabled on the appliance if the command firewall transparent is present in the configuration. The default firewall mode is routed, not transparent. The show firewall command can also be used to determine the firewall operation mode: ciscoasa# show firewall Firewall mode: Transparent SCCP Inspection Denial of Service Vulnerability +-- A denial of service vulnerability affects the SCCP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Administrators can determine if SCCP inspection is enabled by issuing the show service-policy | include skinny command and confirming that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include skinny Inspect: skinny, packet 0, drop 0, reset-drop 0 Alternatively, a device that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global Note: The service policy could also be applied to a specific interface instead of globally, which is displayed in the previous example. SCCP inspection is enabled by default. RIP Denial of Service Vulnerability +-- A denial of service vulnerability affects the RIP implementation in Cisco ASA 5500 Series Adaptive Security Appliances when both RIP and the Cisco Phone Proxy feature are enabled on the same device. The following example displays an affected configuration (Cisco ASA Software version 8.0 and 8.1): router rip ... ! phone-proxy instance name media-termination address IP address ... Rest of phone proxy feature configuration Or (Cisco ASA Software version 8.2 and later): router rip ... ! media-termination instance name address IP address ! Rest of phone proxy feature configuration A security appliance is vulnerable if it is processing RIP messages (router rip) and if a global media termination address is configured for the Cisco Phone Proxy feature (refer to previous example). Note that Cisco ASA Software versions 8.0 and 8.1 only allow a global media termination address. However, in Cisco ASA Software version 8.2 and later, it is possible to tie a media termination address to an interface. This configuration, which is accomplished by issuing the command address IP address interface interface name in media termination configuration mode, is not affected. Neither RIP nor the Cisco Phone Proxy feature is enabled by default. Unauthorized File System Access Vulnerability + An unauthorized file system access vulnerability affects Cisco ASA 5500 Series Adaptive Security Appliances when a security appliance is configured as a local
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances Advisory ID: cisco-sa-20100804-asa http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Revision 1.0 For Public Release 2010 August 04 1600 UTC (GMT) +- Summary === Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows: * Three SunRPC Inspection Denial of Service Vulnerabilities * Three Transport Layer Security (TLS) Denial of Service Vulnerabilities * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml Affected Products = Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Vulnerable Products +-- For specific version information, refer to the Software Versions and Fixes section of this advisory. SunRPC Inspection Denial of Service Vulnerabilities ~~~ Three denial of service (DoS) vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, issue the show service-policy | include sunrpc command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include sunrpc Inspect: sunrpc, packet 0, drop 0, reset-drop 0 The following configuration commands are used to enable SunRPC inspection in the Cisco ASA. class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... ! service-policy global_policy global Transport Layer Security (TLS) Denial of Service Vulnerabilities Three DoS vulnerabilities exist in the Cisco ASA security appliances that can be triggered by a series of crafted TLS packets. A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, 8.2.x, and 8.3.x are affected by one or more of these vulnerabilities. A Cisco ASA device configured for any of the following features is affected: * Secure Socket Layer Virtual Private Network (SSL VPN) * When the affected device is configured to accept Cisco Adaptive Security Device Manager (ASDM) connections * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access when using HTTPS SSL VPN (or WebVPN) is enabled with the enable interface name command in webvpn configuration mode. SSL VPN is disabled by default. The following configuration snippet provides an example of a SSL VPN configuration. webvpn enable outside ... ASDM access is affected by three of these vulnerabilities. To use ASDM, the HTTPS server must be enabled to allow HTTPS connections to the Cisco ASA. The server can be enabled using the http server enable [port] command. The default port is 443. To specify hosts that can access the HTTP server internal to the security appliance, use the http command in global configuration mode. The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature was introduced in Cisco ASA version 8.0(2) and is disabled by default. To determine if the TLS Proxy for Encrypted Voice Inspection feature is enabled on the device, use the show tls-proxy command, as shown in the following example: ciscoasa# show tls-proxy Maximum number of sessions: 1200 TLS-Proxy 'sip_proxy': ref_cnt 1, seq# 3 Server proxy: Trust-point: local_ccm Client proxy: Local dynamic certificate issuer: LOCAL-CA-SERVER Local dynamic certificate key-pair: phone_common Cipher suite: aes128-sha1 aes256-sha1 Run-time proxies: Proxy 0xcbae1538: Class-map: sip_ssl, Inspect: sip
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances Advisory ID: cisco-sa-20100217-asa Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +- Summary === Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Affected Products = Vulnerable Products +-- Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software vary depending on the specific vulnerability. For specific version information, refer to the Software Versions and Fixes section of this advisory. TCP Connection Exhaustion Denial of Service Vulnerability + Cisco ASA 5500 Series Adaptive Security Appliances may experience a TCP connection exhaustion condition (no new TCP connections are accepted) that can be triggered through the receipt of specific TCP segments during the TCP connection termination phase. Appliances that are running versions 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected when they are configured for any of the following features: * SSL VPNs * Cisco Adaptive Security Device Manager (ASDM) Administrative Access * Telnet Access * SSH Access * Virtual Telnet * Virtual HTTP * Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection SIP Inspection Denial of Service Vulnerabilities +--- Two denial of service (DoS) vulnerabilities affect the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the show service-policy | include sip command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... ! service-policy global_policy global SCCP Inspection Denial of Service Vulnerability +-- A denial of service vulnerability affects the SCCP inspection feature of the Cisco ASA 5500 Series Adaptive Security Appliances. Versions 8.0.x, 8.1.x, and 8.2.x are affected. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the show service-policy | include skinny command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global WebVPN DTLS Denial of Service Vulnerability +-- Cisco ASA 5500 Series Adaptive Security Appliances are affected by a denial of service vulnerability that exists when WebVPN and DTLS are enabled. Affected versions include 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x. Administrators can enable WebVPN with the enable interface name command in webvpn configuration mode. DTLS can be enabled by issuing the svc dtls enable command in group policy webvpn configuration mode. The following configuration snippet provides an example of a WebVPN configuration that enables
