Cisco Security Advisory-
Multiple vulnerabilities are found in Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances. They affect the following:
- Enhanced inspection of Malformed Hypertext Transfer Protocol (HTTP) traffic
- Inspection of malformed Session Initiation Protocol (SIP) packets
- Inspection of a stream of malformed Transmission Control Protocol (TCP) packets
- Privilege escalation
These vulnerabilities are independent of each other. If a vulnerability affects a device, it does not necessarily mean that the device is affected by all of them.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070214-pix.
-
In addition to the Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances, some vulnerabilities also affect Cisco Firewall Services Module (FWSM). More information regarding FWSM can be found in the companion advisory https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070214-fwsm.
Vulnerable Products
The following software releases for Cisco PIX and ASA Security Appliances are affected:
Vulnerability Name
Only affected if...
Vulnerable by default?
Versions affected
Cisco Bug ID
Enhanced inspection of Malformed HTTP traffic
Enhanced inspection of HTTP traffic is enabled via the command inspect http <appfw>
No
Only 7.x software releases prior to 7.0(4.14) and 7.1(2.1)
CSCsd75794
Inspection of malformed SIP packets
SIP inspection is enabled via the command fixup protocol sip, fixup protocol sip udp 5060 or inspect sip
Yes
For 6.x software all releases prior to 6.3(5.115), for 7.0.x software all releases prior to 7.0(5.2), and for 7.1.x software all releases prior to 7.1(2.5)
CSCse27708 and CSCsd97077
Inspection of a stream of malformed TCP packets
TCP-based protocol inspection is enabled, for example inspect ftp or inspect http
Yes
Only 7.2.2 software release
CSCsh12711
Privilege escalation
If LOCAL method is used for user authentication
No
7.2.x software releases prior to 7.2(2.8)
CSCsh33287
In order to determine if you run a vulnerable version of Cisco PIX or ASA software, issue the show version command.
This example shows a Cisco PIX Security Appliance that runs software release 7.1(1):
pixfirewall# show version Cisco PIX Security Appliance Software Version 7.1(1)
This example shows a Cisco ASA Security Appliance that runs software release 7.2(1)18.
ciscoasa# show version Cisco Adaptive Security Appliance Software Version 7.2(1)18 Device Manager Version 5.1(2)
For customers that manage their devices through the PIX Device Manager (PDM) or the Cisco Adaptive Security Device Manager (ASDM), log into the application, and the version can be found either in the table in the login window or in the upper left hand corner of the PDM/ASDM window indicated by a label similar to this: PIX Version 7.1(1)
The relationship between vulnerabilities that affect Cisco PIX and ASA Security Appliances and FWSM is given in the following table:
Vulnerability
PIX/ASA Bug ID
FWSM Bug ID
Enhanced Inspection of Malformed HTTP Traffic May Cause Reload
Inspection of Malformed SIP Messages May Cause Reload
CSCse27708 and CSCsd97077
Products Confirmed Not Vulnerable
With the exception of the Cisco FWSM module, no other Cisco products are known to be vulnerable to the issues described in this advisory.
-
This Security Advisory describes multiple distinct vulnerabilities. They are independent of each other.
1. Enhanced inspection of Malformed HTTP traffic
Cisco PIX and ASA Security Appliances may crash when inspecting a malformed HTTP request when enhanced HTTP inspection is enabled. If enhanced HTTP application inspection is enabled your configuration will contain a line like "inspect http <appfw>" where <appfw> is the name of a specific HTTP map. Please note that regular HTTP inspection (configured via the command "inspect http" without an HTTP map) is not affected by this vulnerability. This vulnerability affects only 7.x software releases.
For information on what enhanced inspection of HTTP traffic does, and how to configure it, refer to the following URL: http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/inspect.htm#wp1431359
This vulnerability is documented in Cisco Bug ID CSCsd75794 (registered customers only).
2. Inspection of malformed SIP packets
The inspection of a malformed SIP packet may crash Cisco PIX and ASA appliances. In order to trigger this vulnerability, SIP fixup (for 6.x software) or inspect (for 7.x software) feature must be enabled. SIP fixup (in 6.x and earlier) and SIP inspection (in 7.x and later) are enabled by default.
Note that SIP can use TCP and UDP as transport protocol. When UDP protocol is used, spoofing SIP messages is possible.
This vulnerability is documented in Cisco Bug IDs CSCsd97077 (registered customers only) and CSCse27708 ( registered customers only).
3. Inspection of a stream of malformed TCP packets
By processing a stream of malformed packet in a TCP-based protocol Cisco PIX and ASA Appliances may crash. Processing of the protocol must be done by inspect feature. The packets can be addressed to the device itself or just transiting it. Cisco PIX and ASA Appliance can inspect the following TCP-based protocols:
- Computer Telephony Interface Quick Buffer Encoding (CITQBE)
- Distributed Computing Environment/Remote Procedure Call (DCE/RPC)
- Domain Name Service (DNS)
- Extended Simple Mail Transfer Protocol (ESMTP)
- File Transfer Protocol (FTP)
- H.323 protocol
- Hyper Text Transfer Protocol (HTTP)
- Internet Locator Server (ILS)
- Instant Messaging (IM)
- Point-to-Point Tunneling Protocol (PPTP)
- Remote Shell (RSH)
- Real Time Streaming Protocol (RTSP)
- Session Initiation Protocol (SIP)
- Skinny (or Simple) Client Control Protocol (SCCP)
- Simple Mail Transfer Protocol (SMTP)
- Oracle SQL*Net
- Sun RPC
This vulnerability is documented in Cisco Bug ID CSCsh12711 (registered customers only).
4. Privilege escalation
Using the LOCAL method for user authentication may result in privilege escalation. In order to exploit this vulnerability, a user must be defined in the local database with a privilege of zero and be able to successfully authenticate to the affected device. Only if these conditions are met can the user escalate assigned privileges to level 15 and become an administrator. After that, the user can change every aspect of the configuration and operation of the device.
A device is vulnerable to this issue if these lines are present in the device's configuration:
pixfirewall(config)# aaa authentication enable console LOCAL pixfirewall(config)# username <user_name> password <secret_pwd> privilege 0
This vulnerability is documented in Cisco Bug ID CSCsh33287 (registered customers only).
-
For vulnerabilities that involve HTTP and SIP protocols, it is possible to apply mitigation techniques. Workarounds are available for the other two vulnerabilities.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070214-firewall
Enhanced inspection of Malformed HTTP traffic
Disabling HTTP application inspection (appfw) will prevent Cisco PIX and ASA Appliances from being vulnerable to the issue listed in this Advisory. By leaving inspect http statement configured, some level of protection for the end devices (for example, computers protected by Cisco PIX and ASA Appliance) will remain. However, since this level of inspection is less granular, it may have negative impact on devices terminating HTTP sessions. Devices which terminate HTTP sessions may be exposed to packets that may cause these devices to crash or become compromised.
Inspection of malformed SIP packets
Disabling SIP inspection will prevent Cisco PIX and ASA Appliances from being vulnerable to the issue listed in this Advisory. However, this may have a negative impact on end devices terminating SIP sessions. Devices which terminate SIP sessions could be exposed to packets that may cause these devices to crash or become compromised.
If you run a 7.x software release, the alternative is to only allow traffic from trusted hosts. The configuration needed to accomplish this is as follows.
access-list sip-acl extended permit udp 10.1.1.0 255.255.255.0 host 192.168.5.4 eq sip access-list sip-acl extended permit udp host 192.168.5.4 10.1.1.0 255.255.255.0 eq sip class-map sip-traffic match access-list sip-acl ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect netbios inspect tftp class sip-traffic inspect sip ! service-policy global_policy globalIn this example, the SIP endpoints are any host within the 10.1.1.0 network (inside the trusted network) and a host with the IP address of 192.168.5.4 (outside of the trusted network). You have to substitute these IP addresses with the ones that are used in your network.
Note that SIP is an UDP-based protocol, so spoofing SIP messages is possible.
Inspection of a stream of malformed TCP packets
The workaround is to increase the minimum TCP segment size (MSS) to 64. This is accomplished with a global sysopt command:
sysopt connection tcpmss minimum 64
Privilege escalation
There are two workarounds for this vulnerability. One consists of the use of TACACS+ or Radius for authentication, and another is to change the minimum privilege of the user from zero to one.
Use TACACS+ or Radius for authentication
Do not use the LOCAL method for user authentication, but use TACACS+ or Radius instead. This example shows how to configure the Cisco PIX appliance to use TACACS+ or Radius to authenticate Secure Shell (SSH) access to the device.
pixfirewall(config)#aaa-server AuthOutbound protocol radius (or tacacs+) pixfirewall(config)#aaa authentication ssh console AuthOutbound pixfirewall(config)#aaa-server AuthOutbound host 10.0.0.1 <radius_key>
In this example, 10.0.0.1 is the IP address of the Radius server and radius_key is the shared key between the Radius server and the appliance.
More information on how to configure TACACS+ or Radius on Cisco PIX and ASA appliances can be found at http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml.
Changing user's minimum privilege level
The second workaround consists of the change of the user minimum privilege level from zero to one. In that case, your configuration may look like this:
pixfirewall(config)# aaa authentication enable console LOCAL pixfirewall(config)# username <user_name> password <secret_pwd> privilege 1
It is possible to use any other level as long as it is not zero or 15. If it is 15, the user has all privileges, and that is what we want to avoid in the first place.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
The following list contains the first fixed software release for each vulnerability:
Vulnerability
Cisco Bug ID
First Fixed Release
Enhanced inspection of Malformed HTTP traffic
CSCsd75794
7.0(4.14), 7.0(5), 7.1(2.1), 7.2(1)
Inspection of malformed SIP packets
CSCse27708 and CSCsd97077
6.3(5.115), 7.0(5.2), 7.1(2.5)
Inspection of a stream of malformed TCP packets
CSCsh12711
7.2(2.10)
Privilege escalation
CSCsh33287
7.2(2.10)
The following software releases contain fixes for all vulnerabilities mentioned in this Security Advisory: 6.3(5.115) (for 6.x releases), 7.0(5.2), 7.1(2.5), 7.2(2.10).
Fixed PIX/ASA 7.x software can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2 for Cisco PIX Appliance and from http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2 for Cisco ASA Appliance.
The latest PIX 6.3.x interim release can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT?psrtdcat20e2. The first 6.3.5.x release with the fixes for the vulnerabilities described in this advisory is 6.3(5.115) so 6.3(5.125), which is posted to the previous location, has the fixes as well.
-
The Cisco PSIRT is not aware of any public announcements or malicious use of any vulnerability described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessRevision 1.4
2007-March-15
Text updated to reflect the fact that SIP can use TCP and UDP as transport protocol.
Revision 1.3
2007-Feb-21
It was incorrectly stated in previous versions of this document that SIP inspection is disabled by default in PIX/ASA 7.x software. The advisory has been revised to make it clear that the "Inspection of malformed SIP packets" vulnerability affects the default configuration in all versions of PIX/ASA software.
Revision 1.2
2007-Feb-15
Included download location for the latest PIX 6.3.5 interim that has the fixes for the issues described in this advisory.
Revision 1.1
2007-Feb-14
Clarified that all 7.2.x releases are affected by CSCsh33287 (it was incorrectly stated that only 7.2.2 was affected).
Revision 1.0
2007-Feb-14
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.