Summary
Affected Products
Details
Impact
Software Version and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: FINAL
Distribution
Revision History
Cisco Security Procedures
Multiple vulnerabilities are found in Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances. They affect the following:
These vulnerabilities are independent of each other. If a vulnerability affects a device, it does not necessarily mean that the device is affected by all of them.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml.
[Expand all sections] [Collapse all sections]
Affected Products
In addition to the Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances, some vulnerabilities also affect Cisco Firewall Services Module (FWSM). More information regarding FWSM can be found in the companion advisory http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml.
Vulnerable Products
The following software releases for Cisco PIX and ASA Security Appliances are affected:
|
Vulnerability Name |
Only affected if... |
Vulnerable by default? |
Versions affected |
Cisco Bug ID |
|---|---|---|---|---|
|
Enhanced inspection of Malformed HTTP traffic |
Enhanced inspection of HTTP traffic is enabled via the command inspect http <appfw> |
No |
Only 7.x software releases prior to 7.0(4.14) and 7.1(2.1) |
CSCsd75794 |
|
Inspection of malformed SIP packets |
SIP inspection is enabled via the command fixup protocol sip, fixup protocol sip udp 5060 or inspect sip |
Yes |
For 6.x software all releases prior to 6.3(5.115), for 7.0.x software all releases prior to 7.0(5.2), and for 7.1.x software all releases prior to 7.1(2.5) |
CSCse27708 and CSCsd97077 |
|
Inspection of a stream of malformed TCP packets |
TCP-based protocol inspection is enabled, for example inspect ftp or inspect http |
Yes |
Only 7.2.2 software release |
CSCsh12711 |
|
Privilege escalation |
If LOCAL method is used for user authentication |
No |
7.2.x software releases prior to 7.2(2.8) |
CSCsh33287 |
In order to determine if you run a vulnerable version of Cisco PIX or ASA software, issue the show version command.
This example shows a Cisco PIX Security Appliance that runs software release 7.1(1):
pixfirewall# show version Cisco PIX Security Appliance Software Version 7.1(1)
This example shows a Cisco ASA Security Appliance that runs software release 7.2(1)18.
ciscoasa# show version Cisco Adaptive Security Appliance Software Version 7.2(1)18 Device Manager Version 5.1(2)
For customers that manage their devices through the PIX Device Manager (PDM) or the Cisco Adaptive Security Device Manager (ASDM), log into the application, and the version can be found either in the table in the login window or in the upper left hand corner of the PDM/ASDM window indicated by a label similar to this: PIX Version 7.1(1)
The relationship between vulnerabilities that affect Cisco PIX and ASA Security Appliances and FWSM is given in the following table:
|
Vulnerability |
PIX/ASA Bug ID |
FWSM Bug ID |
|---|---|---|
|
Enhanced Inspection of Malformed HTTP Traffic May Cause Reload |
||
|
Inspection of Malformed SIP Messages May Cause Reload |
CSCse27708 and CSCsd97077 |
Products Confirmed Not Vulnerable
With the exception of the Cisco FWSM module, no other Cisco products are known to be vulnerable to the issues described in this advisory.
Details
This Security Advisory describes multiple distinct vulnerabilities. They are independent of each other.
Cisco PIX and ASA Security Appliances may crash when inspecting a malformed HTTP request when enhanced HTTP inspection is enabled. If enhanced HTTP application inspection is enabled your configuration will contain a line like "inspect http <appfw>" where <appfw> is the name of a specific HTTP map. Please note that regular HTTP inspection (configured via the command "inspect http" without an HTTP map) is not affected by this vulnerability. This vulnerability affects only 7.x software releases.
For information on what enhanced inspection of HTTP traffic does, and how to configure it, refer to the following URL: http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/inspect.htm#wp1431359
This vulnerability is documented in Cisco Bug ID CSCsd75794 (registered customers only).
The inspection of a malformed SIP packet may crash Cisco PIX and ASA appliances. In order to trigger this vulnerability, SIP fixup (for 6.x software) or inspect (for 7.x software) feature must be enabled. SIP fixup (in 6.x and earlier) and SIP inspection (in 7.x and later) are enabled by default.
Note that SIP can use TCP and UDP as transport protocol. When UDP protocol is used, spoofing SIP messages is possible.
This vulnerability is documented in Cisco Bug IDs CSCsd97077 (registered customers only) and CSCse27708 ( registered customers only).
By processing a stream of malformed packet in a TCP-based protocol Cisco PIX and ASA Appliances may crash. Processing of the protocol must be done by inspect feature. The packets can be addressed to the device itself or just transiting it. Cisco PIX and ASA Appliance can inspect the following TCP-based protocols:
This vulnerability is documented in Cisco Bug ID CSCsh12711 (registered customers only).
Using the LOCAL method for user authentication may result in privilege escalation. In order to exploit this vulnerability, a user must be defined in the local database with a privilege of zero and be able to successfully authenticate to the affected device. Only if these conditions are met can the user escalate assigned privileges to level 15 and become an administrator. After that, the user can change every aspect of the configuration and operation of the device.
A device is vulnerable to this issue if these lines are present in the device's configuration:
pixfirewall(config)# aaa authentication enable console LOCAL pixfirewall(config)# username <user_name> password <secret_pwd> privilege 0
This vulnerability is documented in Cisco Bug ID CSCsh33287 (registered customers only).
Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.
Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability.
CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.
Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.
Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks: http://intellishield.cisco.com/security/alertmanager/cvss.
|
CSCsd75794 - Enhanced inspection of Malformed HTTP traffic can crash device (registered customers only) Calculate the environmental score of CSCsd75794 |
||||||
|---|---|---|---|---|---|---|
|
CVSS Base Score - 3.3 |
||||||
|
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
Impact Bias |
|
Remote |
Low |
Not Required |
None |
None |
Complete |
Normal |
|
Temporal Score - 2.7 |
||||||
|
Exploitability |
Remediation Level |
Report Confidence |
||||
|
Functional |
Official Fix |
Confirmed |
||||
|
CSCse27708 - Traceback when inspecting SIP packets (registered customers only) Calculate the environmental score of CSCse27708 |
||||||
|---|---|---|---|---|---|---|
|
CVSS Base Score - 3.3 |
||||||
|
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
Impact Bias |
|
Remote |
Low |
Not Required |
None |
None |
Complete |
Normal |
|
Temporal Score - 2.7 |
||||||
|
Exploitability |
Remediation Level |
Report Confidence |
||||
|
Functional |
Official Fix |
Confirmed |
||||
|
CSCsd97077 - ASA/PIX Traceback when inspecting SIP packets (registered customers only) Calculate the environmental score of CSCsd97077 |
||||||
|---|---|---|---|---|---|---|
|
CVSS Base Score - 3.3 |
||||||
|
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
Impact Bias |
|
Remote |
Low |
Not Required |
None |
None |
Complete |
Normal |
|
Temporal Score - 2.7 |
||||||
|
Exploitability |
Remediation Level |
Report Confidence |
||||
|
Functional |
Official Fix |
Confirmed |
||||
|
CSCsh12711 - Traceback in TCP Normalizer (registered customers only) Calculate the environmental score of CSCsh12711 |
||||||
|---|---|---|---|---|---|---|
|
CVSS Base Score - 3.3 |
||||||
|
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
Impact Bias |
|
Remote |
Low |
Not Required |
None |
None |
Complete |
Normal |
|
Temporal Score - 2.7 |
||||||
|
Exploitability |
Remediation Level |
Report Confidence |
||||
|
Functional |
Official Fix |
Confirmed |
||||
|
CSCsh33287 - Users with priv 0 can get to level 15 when authen. ena. LOCAL configured (registered customers only) Calculate the environmental score of CSCsh33287 |
||||||
|---|---|---|---|---|---|---|
|
CVSS Base Score - 6 |
||||||
|
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
Impact Bias |
|
Remote |
Low |
Required |
Complete |
Complete |
Complete |
Normal |
|
Temporal Score - 5 |
||||||
|
Exploitability |
Remediation Level |
Report Confidence |
||||
|
Functional |
Official Fix |
Confirmed |
||||
Impact
Successful exploitation of the first three vulnerabilities listed in this Advisory may crash the affected device. Repeated exploitation can result in a sustained DoS attack.
Successful exploitation of CSCsh33287 can result in the escalation of user privileges and complete compromise of the affected Cisco PIX and ASA Appliances.
Top of the section Close Section
Software Version and Fixes
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
The following list contains the first fixed software release for each vulnerability:
|
Vulnerability |
Cisco Bug ID |
First Fixed Release |
|---|---|---|
|
Enhanced inspection of Malformed HTTP traffic |
CSCsd75794 |
7.0(4.14), 7.0(5), 7.1(2.1), 7.2(1) |
|
Inspection of malformed SIP packets |
CSCse27708 and CSCsd97077 |
6.3(5.115), 7.0(5.2), 7.1(2.5) |
|
Inspection of a stream of malformed TCP packets |
CSCsh12711 |
7.2(2.10) |
|
Privilege escalation |
CSCsh33287 |
7.2(2.10) |
The following software releases contain fixes for all vulnerabilities mentioned in this Security Advisory: 6.3(5.115) (for 6.x releases), 7.0(5.2), 7.1(2.5), 7.2(2.10).
Fixed PIX/ASA 7.x software can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2 for Cisco PIX Appliance and from http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2 for Cisco ASA Appliance.
The latest PIX 6.3.x interim release can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT?psrtdcat20e2. The first 6.3.5.x release with the fixes for the vulnerabilities described in this advisory is 6.3(5.115) so 6.3(5.125), which is posted to the previous location, has the fixes as well.
Top of the section Close Section
Workarounds
For vulnerabilities that involve HTTP and SIP protocols, it is possible to apply mitigation techniques. Workarounds are available for the other two vulnerabilities.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20070214-firewall.shtml
Disabling HTTP application inspection (appfw) will prevent Cisco PIX and ASA Appliances from being vulnerable to the issue listed in this Advisory. By leaving inspect http statement configured, some level of protection for the end devices (for example, computers protected by Cisco PIX and ASA Appliance) will remain. However, since this level of inspection is less granular, it may have negative impact on devices terminating HTTP sessions. Devices which terminate HTTP sessions may be exposed to packets that may cause these devices to crash or become compromised.
Disabling SIP inspection will prevent Cisco PIX and ASA Appliances from being vulnerable to the issue listed in this Advisory. However, this may have a negative impact on end devices terminating SIP sessions. Devices which terminate SIP sessions could be exposed to packets that may cause these devices to crash or become compromised.
If you run a 7.x software release, the alternative is to only allow traffic from trusted hosts. The configuration needed to accomplish this is as follows.
access-list sip-acl extended permit udp 10.1.1.0 255.255.255.0 host 192.168.5.4 eq sip
access-list sip-acl extended permit udp host 192.168.5.4 10.1.1.0 255.255.255.0 eq sip
class-map sip-traffic
match access-list sip-acl
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
class sip-traffic
inspect sip
!
service-policy global_policy global
In this example, the SIP endpoints are any host within the 10.1.1.0 network (inside the trusted network) and a host with the IP address of 192.168.5.4 (outside of the trusted network). You have to substitute these IP addresses with the ones that are used in your network.
Note that SIP is an UDP-based protocol, so spoofing SIP messages is possible.
The workaround is to increase the minimum TCP segment size (MSS) to 64. This is accomplished with a global sysopt command:
sysopt connection tcpmss minimum 64
There are two workarounds for this vulnerability. One consists of the use of TACACS+ or Radius for authentication, and another is to change the minimum privilege of the user from zero to one.
Use TACACS+ or Radius for authentication
Do not use the LOCAL method for user authentication, but use TACACS+ or Radius instead. This example shows how to configure the Cisco PIX appliance to use TACACS+ or Radius to authenticate Secure Shell (SSH) access to the device.
pixfirewall(config)#aaa-server AuthOutbound protocol radius (or tacacs+) pixfirewall(config)#aaa authentication ssh console AuthOutbound pixfirewall(config)#aaa-server AuthOutbound host 10.0.0.1 <radius_key>
In this example, 10.0.0.1 is the IP address of the Radius server and radius_key is the shared key between the Radius server and the appliance.
More information on how to configure TACACS+ or Radius on Cisco PIX and ASA appliances can be found at http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml.
Changing user's minimum privilege level
The second workaround consists of the change of the user minimum privilege level from zero to one. In that case, your configuration may look like this:
pixfirewall(config)# aaa authentication enable console LOCAL pixfirewall(config)# username <user_name> password <secret_pwd> privilege 1
It is possible to use any other level as long as it is not zero or 15. If it is 15, the user has all privileges, and that is what we want to avoid in the first place.
Top of the section Close Section
Obtaining Fixed Software
Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com. Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.
Top of the section Close Section
Customers with Service Contracts
Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.
Top of the section Close Section
Customers using Third Party Support Organizations
Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.
Top of the section Close Section
Customers without Service Contracts
Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.
Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, which includes special localized telephone numbers, instructions, and e-mail addresses for use in various languages.
Top of the section Close Section
Exploitation and Public Announcements
The Cisco PSIRT is not aware of any public announcements or malicious use of any vulnerability described in this advisory.
Top of the section Close Section
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
Distribution
This advisory is posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml.
In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients:
Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
Top of the section Close Section
Revision History
|
Revision 1.4 |
2007-March-15 |
Text updated to reflect the fact that SIP can use TCP and UDP as transport protocol. |
|
Revision 1.3 |
2007-Feb-21 |
It was incorrectly stated in previous versions of this document that SIP inspection is disabled by default in PIX/ASA 7.x software. The advisory has been revised to make it clear that the "Inspection of malformed SIP packets" vulnerability affects the default configuration in all versions of PIX/ASA software. |
|
Revision 1.2 |
2007-Feb-15 |
Included download location for the latest PIX 6.3.5 interim that has the fixes for the issues described in this advisory. |
|
Revision 1.1 |
2007-Feb-14 |
Clarified that all 7.2.x releases are affected by CSCsh33287 (it was incorrectly stated that only 7.2.2 was affected). |
|
Revision 1.0 |
2007-Feb-14 |
Initial public release. |
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.
Top of the section Close Section
All contents are Copyright © 2006-2007 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
| Updated: Mar 15, 2007 | Document ID: 77853 |