Summary
Affected Products
Details
Vulnerability Scoring Details
Impact
Software Versions and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: Final
Distribution
Revision History
Cisco Security Procedures
Note: Cisco ASA Software does not have a crypto map applied by default to any interface.ciscoasa# sh running-config crypto map
[...]
crypto map outside_map interface outside
Note: SQL*Net inspection is enabled by default.ciscoasa# show service-policy | include sqlnet Inspect: sqlnet, packet 0, drop 0, reset-drop 0
To determine whether Cisco ASDM is configured to use digital certificate authentication, use the show running-config http command and verify that both http server enabled and http authentication-certificate <Interface_name> commands are present. The following example shows Cisco ASA Software with Cisco ASDM and certificate authentication enabled on the inside interface:ciscoasa# show running-config webvpn webvpn enable outside ciscoasa# show running-config tunnel-group AnyConnect-TG [...] tunnel-group DefaultRAGroup webvpn-attributes authentication aaa certificate
On some Cisco ASA versions, the command ssl certificate-authentication interface <Interface_name> port <Port_Number> was used instead of the http authentication-certificate <Interface_name> command.ciscoasa# show running-config http http server enable [...] http authentication-certificate inside
Additionally, use the show aaa-server protocol ldap command to verify that the remote AAA server associated to the tunnel-group is an LDAP server. The following example shows a Cisco ASA configured with a AAA server called AAA-LDAP-SERVER running over LDAP:ciscoasa# show running-config tunnel-group AnyConnect-TG tunnel-group test general-attributes authentication-server-group AAA-LDAP-SERVER override-account-disable
Note: The override-account-disable command is disabled by default.ciscoasa# show aaa-server protocol ldap
Server Group: AAA-LDAP-SERVER
Server Protocol: ldap
[...]
On some Cisco ASA versions, the command ssl certificate-authentication interface <Interface_name>port <Port_Number> was used instead of the http authentication-certificate <Interface_name> command.ciscoasa# show running-config http http server enable [...] http authentication-certificate inside
Note: The HTTP inspection engine and HTTP DPI are disabled by default. This vulnerability does not affect Cisco ASA 5505, Cisco ASA 5510, Cisco ASA 5520, Cisco ASA 5540, and Cisco ASA 5550 products.ciscoasa# show running-config policy-map type inspect http ! policy-map type inspect http HTTP_DPI_PM parameters spoof-server "Apache"
!
Note: Cisco ASA Software will not inspect DNS packets over TCP by default.ciscoasa# show running-config access-list [...] access-list DNS_INSPECT_ACL extended permit tcp any any [...]ORciscoasa# show running-config access-list [...] access-list DNS_INSPECT_ACL extended permit ip any any [...] ciscoasa# show running-config class-map ! class-map DNS_INSPECT_CP match access-list DNS_INSPECT [...] ciscoasa# show running-config policy-map ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 [...] class DNS_INSPECT_CP inspect dns preset_dns_map !
Note: AnyConnect SSL VPN is disabled by default.ciscoasa# show running-config webvpn webvpn [...] svc enable
Note: SSL VPN is disabled by default.ciscoasa# show running-config webvpn webvpn enable outside
ciscoasa#show running-config icmp | include permit
icmp permit any echo-reply outside
icmp permit any echo-reply dmz1 icmp permit any unreachable outside icmp permit any echo outside
ciscoasa#show running-config ipv6 | include permit icmp
ipv6 icmp permit any echo outside
ipv6 icmp permit any echo-reply outside ipv6 icmp permit any neighbor-advertisement outside
ciscoasa# show running-config | include inspect icmp
inspect icmp
Customers who use Cisco ASDM to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window.ciscoasa#show version | include Version
Cisco Adaptive Security Appliance Software Version 8.4(1)
Device Manager Version 6.4(1)
A vulnerability in the Web Portal for SSL VPN could allow an unauthenticated, remote attacker to cause the reload of the affected system.
The vulnerability is due to improper handling of crafted HTTPS requests against the Cisco ASA Software configured for SSL VPN. An attacker could exploit this vulnerability by sending crafted HTTPS requests targeting Web Portal pages for SSL VPN.
CSCue18975 - IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability Calculate the environmental score of CSCue18975 |
||||||
---|---|---|---|---|---|---|
CVSS Base Score - 7.1 |
||||||
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
Network |
Medium |
None |
None |
None |
Complete |
|
CVSS Temporal Score - 5.9 |
||||||
Exploitability |
Remediation Level |
Report Confidence |
||||
Functional |
Official-Fix |
Confirmed |
CSCub98434 - SQL*Net Inspection Engine Denial of Service Vulnerability Calculate the environmental score of CSCub98434 |
||||||
---|---|---|---|---|---|---|
CVSS Base Score - 7.1 |
||||||
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
Network |
Medium |
None |
None |
None |
Complete |
|
CVSS Temporal Score - 5.9 |
||||||
Exploitability |
Remediation Level |
Report Confidence |
||||
Functional |
Official-Fix |
Confirmed |
CSCuf52468 - Digital Certificate Authentication Bypass Vulnerability Calculate the environmental score of CSCuf52468 |
||||||
---|---|---|---|---|---|---|
CVSS Base Score - 10.0 |
||||||
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
Network |
Low |
None |
Complete |
Complete |
Complete |
|
CVSS Temporal Score - 8.3 |
||||||
Exploitability |
Remediation Level |
Report Confidence |
||||
Functional |
Official-Fix |
Confirmed |
CSCug83401 - Remote Access VPN Authentication Bypass Vulnerability Calculate the environmental score of CSCug83401 |
||||||
---|---|---|---|---|---|---|
CVSS Base Score - 5.0 |
||||||
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
Network |
Low |
None |
Partial |
None |
None |
|
CVSS Temporal Score - 4.1 |
||||||
Exploitability |
Remediation Level |
Report Confidence |
||||
Functional |
Official-Fix |
Confirmed |
CSCuh44815 - Digital Certificate HTTP Authentication Bypass Vulnerability Calculate the environmental score of CSCuh44815 |
||||||
---|---|---|---|---|---|---|
CVSS Base Score - 10.0 |
||||||
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
Network |
Low |
None |
Complete |
Complete |
Complete |
|
CVSS Temporal Score - 8.3 |
||||||
Exploitability |
Remediation Level |
Report Confidence |
||||
Functional |
Official-Fix |
Confirmed |
CSCug03975 - DNS Inspection Denial of Service Vulnerability Calculate the environmental score of CSCug03975 |
||||||
---|---|---|---|---|---|---|
CVSS Base Score - 7.1 |
||||||
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
Network |
Medium |
None |
None |
None |
Complete |
|
CVSS Temporal Score - 5.9 |
||||||
Exploitability |
Remediation Level |
Report Confidence |
||||
Functional |
Official-Fix |
Confirmed |
CSCtt36737 - HTTP Deep Packet Inspection Denial of Service Vulnerability Calculate the environmental score of CSCtt36737 |
||||||
---|---|---|---|---|---|---|
CVSS Base Score - 7.8 |
||||||
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
Network |
Low |
None |
None |
None |
Complete |
|
CVSS Temporal Score - 6.4 |
||||||
Exploitability |
Remediation Level |
Report Confidence |
||||
Functional |
Official-Fix |
Confirmed |
CSCud37992 - AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability Calculate the environmental score of CSCud37992 |
||||||
---|---|---|---|---|---|---|
CVSS Base Score - 7.1 |
||||||
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
Network |
Medium |
None |
None |
None |
Complete |
|
CVSS Temporal Score - 5.9 |
||||||
Exploitability |
Remediation Level |
Report Confidence |
||||
Functional |
Official-Fix |
Confirmed |
CSCua22709 - SSL VPN Web Portal Denial of Service Vulnerability Calculate the environmental score of CSCua22709 |
||||||
---|---|---|---|---|---|---|
CVSS Base Score - 7.8 |
||||||
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
Network |
Low |
None |
None |
None |
Complete |
|
CVSS Temporal Score - 6.4 |
||||||
Exploitability |
Remediation Level |
Report Confidence |
||||
Functional |
Official-Fix |
Confirmed |
CSCui77398 - Crafted ICMP Packet Denial of Service Vulnerability Calculate the environmental score of CSCui77398 |
||||||
---|---|---|---|---|---|---|
CVSS Base Score - 8.5 |
||||||
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
Network |
Low |
None |
None |
Partial |
Complete |
|
CVSS Temporal Score - 7.0 |
||||||
Exploitability |
Remediation Level |
Report Confidence |
||||
Functional |
Official-Fix |
Confirmed |
|
7.0 |
7.1 |
7.2 |
8.0 |
8.1 |
8.2 |
8.3 |
8.4 |
8.5 |
8.6 |
8.7 |
9.0 |
9.1 |
IPsec VPN Crafted ICMP Packet Denial of Service Vulnerability - CSCue18975 |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
9.1(1.7) |
SQL*Net Inspection Engine Denial of Service Vulnerability - CSCub98434 |
Migrate to 7.2.x or later |
Migrate to 7.2.x or later |
7.2(5.12) |
Migrate to 8.2.x or later |
Migrate to 8.2.x or later |
8.2(5.44) |
8.3(2.39) |
8.4(6) |
8.5(1.18) |
8.6(1.12) |
8.7(1.6) |
9.0(2.10) |
9.1(2) |
Digital Certificate Authentication Bypass Vulnerability - CSCuf52468 |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
9.0(2.6)1 |
9.1(2)1 |
Remote Access VPN Authentication Bypass Vulnerability - CSCug83401 |
Migrate to 7.2.x or later |
Migrate to 7.2.x or later |
7.2(5.12) |
Migrate to 8.2.x or later |
Migrate to 8.2.x or later |
8.2(5.46) |
8.3(2.39) |
8.4(6.6) |
Not Affected |
8.6(1.12) |
Not Affected |
9.0(3.1) |
9.1(2.5) |
Digital Certificate HTTP Authentication Bypass Vulnerability - CSCuh44815 |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
8.2(5.46) |
8.3(2.39) |
8.4(6.6) |
8.5(1.18) |
8.6(1.12) |
8.7(1.7) |
9.0(3.1) |
9.1(2.6) |
HTTP Deep Packet Inspection Denial of Service Vulnerability - CSCud37992 |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
8.2(5.46)1 |
8.3(2.39)1 |
8.4(5.5)1 |
8.5(1.18)1 |
8.6(1.12)1 |
8.7(1.4)1 |
9.0(1.4)1 |
9.1(1.2)1 |
DNS Inspection Denial of Service Vulnerability - CSCug03975 |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
8.2(5.46) |
8.3(2.39) |
8.4(7) |
8.5(1.18) |
8.6(1.12) |
8.7(1.7) |
9.0(3.3) |
9.1(1.8) |
AnyConnect SSL VPN Memory Exhaustion Denial of Service Vulnerability - CSCtt36737 |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
8.4(3) |
Not Affected |
8.6(1.3) |
Not Affected |
Not Affected |
Not Affected |
SSL VPN Web Portal Denial of Service Vulnerability - CSCua22709 |
Not Affected |
Not Affected |
Not Affected |
Migrate to 8.2.x or later |
Migrate to 8.2.x or later |
8.2(5.44) |
8.3(2.39) |
8.4(5.7) |
Not Affected |
8.6(1.12) |
Not Affected |
9.0(2.6) |
9.1(1.7) |
Crafted ICMP Packet Denial of Service Vulnerability - CSCui77398 | Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected |
Not Affected | Not Affected |
8.4(7.2)2 |
Not Affected |
Not Affected |
8.7(1.8)2 |
9.0(3.6) |
9.1(2.8) |
Recommended release that fixes all the vulnerabilities in this security advisory |
Migrate to 7.2.x or later |
Migrate to 7.2.x or later |
7.2(5.12) |
Migrate to 8.2.x or later |
Migrate to 8.2.x or later |
8.2(5.46) or later |
8.3(2.39) or later |
8.4(7.2)2 or later |
8.5(1.18) or later |
8.6(1.12) or later |
8.7(1.8)2 or later |
9.0(3.6) or later |
9.1(2.8) or later |
Note: Because the vulnerability is triggered during the decryption operation, this workaround should be implemented on both devices terminating the VPN tunnel. This workaround is ineffective if applied to only on one side of the tunnel.ciscoasa(config)# access-list DENY_ICMP_ACL deny icmp any any ciscoasa(config)# access-list DENY_ICMP_ACL permit ip any any ciscoasa(config)# group-policy DfltGrpPolicy attributes ciscoasa(config-group-policy)# vpn-filter value DENY_ICMP_ACL
Digital Certificate Authentication Bypass Vulnerabilityciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# no inspect sqlnet
Note: Inspection of DNS traffic over TCP is currently not supported by the Cisco ASA Software. Implementing this workaround does not create any loss in functionality.ciscoasa# show running-config access-list access-list DNS_INSPECT extended permit udp any any eq 53 ciscoasa# show running-config class-map ! class-map DNS_INSPECT_CP match access-list DNS_INSPECT [...] ciscoasa# show running-config policy-map ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 [...] class DNS_INSPECT_CP inspect dns preset_dns_map !
Note: Disabling the ICMP processing on the firewall interface may result in administrators not being able to receive any more information from the firewall via ICMP, which includes ping, traceroute, etc. Disabling the ICMPv6 processing on the firewall interface may result in the firewall not being able to communicate on that interface due to a missing neighbor discovery and neighbor advertisement ICMPv6 packets.ciscoasa(config)# icmp deny any outside
ciscoasa(config)# ipv6 icmp deny any outside
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# no inspect icmp
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
Revision 2.2 | 2013-December-13 | Corrected some information about the SSL VPN Web Portal Denial of Service Vulnerability - CSCua22709 |
Revision 2.1 | 2013-October-18 | Added additional information about CSCui77398 |
Revision 2.0 | 2013-October-17 | Added information about the Crafted ICMP Packet Denial of Service Vulnerability - CSCui77398 |
Revision 1.1 | 2013-October-10 | Updated list of products not affected by the vulnerabilities. |
Revision 1.0 | 2013-October-09 | Initial public release. |