-
The Cisco Security Monitoring, Analysis and Response System (CS-MARS) and the Cisco Adaptive Security Device Manager (ASDM) do not validate the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificates or Secure Shell (SSH) public keys presented by devices they are configured to connect to. Malicious users may be able to use this lack of certificate or public key validation to impersonate the devices that these affected products connect to, which could then be used to obtain sensitive information or misreport information.
Cisco has made free software available to address this vulnerability for affected customers.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070118-certs.
-
Vulnerable Products
The following products are affected by the vulnerability described in this document:
- Cisco Security Monitoring, Analysis and Response System (CS-MARS)
All CS-MARS versions prior to 4.2.3 are affected.
To verify the version of CS-MARS software, log into CS-MARS web interface using a web browser and go to the "Help" tab located on the top-right corner of the browser window. Then click on the "About" link. The CS-MARS version will be displayed in the center of the browser window under "CS-MARS Information".
Alternatively, it is possible to use an SSH connection or a direct serial console connection to verify the version of the CS-MARS software by logging into the system administration command line interface with the pnadmin account and executing the version command:
shell$ ssh pnadmin@10.0.0.1 pnadmin@10.0.0.1's password: Last login: Mon Jan 8 18:42:45 2007 from 10.0.0.2 CS MARS - Mitigation and Response System ? for list of commands [pnadmin]$ version 4.2.3 (2403)
- Cisco Adaptive Security Device Manager (ASDM)
All ASDM versions prior to 5.2(2.54) are affected when the ASDM Launcher (the stand-alone version of ASDM) is used.
If the ASDM Applet is used, i.e. ASDM is launched via a web browser, then it is the web browser's responsibility to verify the certificates presented by the devices that ASDM connects to. The user can instruct the web browser to save devices' root Certificate Authority certificates so a warning is generated if something changes (this can be used as a workaround - please refer to the Workarounds section for details.)
To verify the version of ASDM software, launch ASDM and look in the "General" tab of the "Device Information" section.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities. - Cisco Security Monitoring, Analysis and Response System (CS-MARS)
-
Some Cisco products connect to different devices for configuration or monitoring purposes. The actual connection method used varies depending on the product, but SSL/TLS and SSH are the most prevalent ones due to their use of strong cryptography to ensure the confidentiality and integrity of the communication.
Two examples of these products include the Cisco Security Monitoring, Analysis and Response System (CS-MARS), a security threat mitigation system that talks to devices such as IPS sensors and firewalls, and the Cisco Adaptive Security Device Manager (ASDM), which provides management and monitoring services for the Cisco ASA 5500 Series Adaptive Security Appliances, Cisco PIX 500 Series Security Appliances and the Firewall Services Modules for the Cisco Catalyst 6500 Switches and the Cisco 7600 Series Routers.
When these products connect to their managed devices via SSL/TLS or SSH, they do not validate the SSL/TLS certificates or SSH public keys presented by these managed devices.
Because the certificates and public keys presented by devices are not validated, in the event that a certificate or public key has changed, the affected products will not be able to determine whether the device they are communicating with is legitimate, or if it is a device impersonating a legitimate one.
The following Cisco Bug IDs are being used to track these vulnerabilities on the affected products:
- CS-MARS - CSCsf95930 ( registered customers only)
- ASDM - CSCsg78595 ( registered customers only)
-
There are no workarounds for this vulnerability in the case of CS-MARS.
In the particular case of ASDM, using the ASDM Applet, i.e. launching ASDM via a web browser and not via the stand-alone ASDM Launcher, will workaround the vulnerability since the SSL/TLS certificate verification will be performed by the web browser, and in the case that the certificate has changed, the browser will produce a warning. Note that this requires the user to save the root Certificate Authority (CA) certificate as a trusted certificate.
While not a workaround for the affected products, as a security best practice, you should always configure the devices that the affected products connect to so only connections from trusted hosts or networks are accepted. The way to configure this varies depending on the device. Please refer to the documentation of your managed device for details.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
This vulnerability is fixed in version 4.2.3 (2403) of the CS-MARS software. CS-MARS software can be downloaded from the following location:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars?psrtdcat20e2
This vulnerability is fixed in version 5.2(2.54) of ASDM. ASDM can be downloaded from the following location:
http://www.cisco.com/pcgi-bin/tablebuild.pl/asa-interim?psrtdcat20e2
Note: The ASDM versions for the PIX/ASA and the FWSM are different. A fixed version of the ASDM software for the FWSM is forthcoming. This advisory will be updated when a fixed image for the FWSM version of ASDM is available.
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
Cisco would like to thank Jan Bervar from NIL Data Communications for bringing this to our attention.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2007-January-18
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.