AV:N/AC:M/Au:N/C:C/I:P/A:C/E:F/RL:OF/RC:C
-
Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities:
- DHCP Memory Allocation Denial of Service Vulnerability
- SSL VPN Authentication Denial of Service Vulnerability
- SIP Inspection Media Update Denial of Service Vulnerability
- DCERPC Inspection Buffer Overflow Vulnerability
- Two DCERPC Inspection Denial Of Service Vulnerabilities
These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others.
Cisco has released software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link:
Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa
Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above.
A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm
The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities.
-
Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Consult the "Software Versions and Fixes" section of this security advisory for more information about the affected versions.
Cisco PIX Security Appliances may be affected by some of the vulnerabilities described in this security advisory. Cisco PIX has reached end of software maintenance. Cisco PIX Security Appliance customers are encouraged to migrate to Cisco ASA 5500 Series Adaptive Security Appliances. Consult the dedicated section for Cisco PIX Security Appliances in the "Vulnerable Products" section of this security advisory for more information about affected versions.Vulnerable Products
For specific version information, refer to the "Software Versions and Fixes" section of this advisory.
DHCP Memory Allocation Denial of Service Vulnerability
This vulnerability is triggered when the Cisco ASA Software processes a DHCP request. DHCP relay and DHCP server features will trigger the DHCP request packet process. If either feature is enabled, the Cisco ASA Software may be vulnerable.
To determine whether the DHCP server feature is enabled on Cisco ASA Software use the show dhcpd state command and verify that at least one interface is configured for DHCP server. The following example shows the Cisco ASA Software with DHCP server enabled on the inside interface
ciscoasa# show dhcpd state Context Configured as DHCP Server Interface inside, Configured for DHCP SERVER
To determine whether the DHCP relay feature is enabled on Cisco ASA Software use the show dhcprelay state command and verify that DHCP relay is active. The following example shows the Cisco ASA Software with DHCP relay enabled.
ciscoasa# show dhcprelay state
Context Configured as DHCP Relay
Interface outside, Configured for DHCP RELAY SERVER
Interface inside, Configured for DHCP RELAY
Note: By default, DHCP server is enabled on the inside interface of the Cisco ASA 5505 and on the management interface of all other Cisco ASA 5500 Series Adaptive Security Appliances. DHCP server is disabled by default on Cisco Catalyst 6500 Series ASA Services Module.
DHCP relay feature is not enabled by default on any Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module platforms.
SSL VPN Authentication Denial of Service Vulnerability
This vulnerability may affect Cisco ASA Software configured for Clientless or AnyConnect SSL VPN. Cisco ASA Software configured as an IPsec VPN Server, IPsec/L2TP VPN Server or IKEv2 AnyConnect VPN server is not affected. Because this vulnerability is triggered when receiving a crafted authentication challenge-response, Cisco ASA Software is not affected when configured to use the AAA protocol that does not support the challenge option or with the challenge option disabled.
To be affected, the Cisco ASA Software should have SSL VPN enabled and the tunnel group configured to authenticate to a remote AAA server using a AAA protocol that has the AAA challenge option enabled.
Currently the following AAA setup may be configured with the challenge option enabled and hence be considered vulnerable:- Native RSA SecurID (also known as SDI) - This is vulnerable when the SecureID server requires a challenge response from the user.
- RADIUS and TACACS+ authentication challenge - These are vulnerable when the AAA server uses a token-based authentication system which is capable of sending challenge requests to authenticating users.
- Active Directory password management via RADIUS or LDAP. In these cases the Cisco ASA Software facilitates a user password change prior to authentication with Active Directory.
To determine whether Cisco ASA Software has SSL VPN enabled use the show running-config webvpn command and verify that SSL VPN is enabled on at least one interface. The following example shows the Cisco ASA Software with SSL VPN enabled on the outside interface:
ciscoasa# show running-config webvpn webvpn enable outside
To determine whether the Cisco ASA Software has the tunnel group configured for a remote AAA server, use the show running-config tunnel-group <tg_name> general-attributes command and verify that the authentication-server-group is set to authenticate to a remote AAA server. The following example shows the Cisco ASA Software with the tunnel group WebVPN configured to authenticate against a remote AAA server with tag labeled RSA.
ciscoasa#show running-config tunnel-group WebVPN general-attributes tunnel-group WebVPN general-attributes authentication-server-group RSA
To determine which AAA protocol is in use for a given AAA server, use the show aaa-server <server-tag>. The AAA protocol in use is indicated under Server Group. The following example shows a AAA server with tag labeled RSA which is using RSA SecurID (SDI) as AAA protocol:
ciscoasa# show aaa-server RSA
Server Group: RSA
Server Protocol: sdiNote: SSL VPN is not enabled by default. The default AAA setting for tunnel group is LOCAL which is not affected by this vulnerability.
SIP Inspection Media Update Denial of Service Vulnerability
The Cisco ASA Software may be affected by this vulnerability if Session Initiation Protocol (SIP) inspection is enabled.
To determine whether SIP inspection is enabled use the show service-policy inspect sip command. The following example shows Cisco ASA Software with SIP inspection enabled:
ciscoasa# show service-policy | include sip
Inspect: sip , packet 67, drop 0, reset-drop 0Note: SIP inspection functionality is enabled by default.
DCERPC Inspection Buffer Overflow Vulnerability and DCERPC Inspection Denial Of Service Vulnerabilities
Cisco ASA Software is affected by these vulnerabilities if DCERPC inspection is enabled.
To determine whether the DCERPC inspection is enabled use the show service-policy | include dcerpc command. The following example shows the Cisco ASA Software with DCERPC inspection enabled:
ciscoasa# show service-policy | include dcerpc
Inspect: dcerpc, packet 0, drop 0, reset-drop 0Note: DCERPC inspection is not enabled by default.
Determine the Running Software Version
To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the show version command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.4(1):
ciscoasa#show version | include Version
Cisco Adaptive Security Appliance Software Version 8.4(1)
Device Manager Version 6.4(1)Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window.
Information about Cisco PIX Security Appliance Software
All versions of the Cisco PIX Security Appliance Software are affected by the DHCP Memory Allocation Denial of Service Vulnerability.
Cisco PIX Security Appliance Software is not affected by any other vulnerabilities described in this security advisory.Products Confirmed Not Vulnerable
The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities.
With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities.
-
The following section provides additional information about each vulnerability.
DHCP Memory Allocation Denial of Service Vulnerability
DHCP is a protocol that supplies automatic configuration parameters such as an IP address with a subnet mask, default gateway, DNS server, and WINS server IP address to hosts.
The Cisco ASA Software can act as a DHCP server or a DHCP client. When it operates as a server, the Cisco ASA Software provides network configuration parameters directly to DHCP clients.
A vulnerability exists in the implementation of the Dynamic Host Configuration Protocol (DHCP) Server functionality that would allow an unauthenticated, remote attacker to trigger a reload of the affected device. This vulnerability is due to a failure in allocating memory for an internal DHCP data structure upon receiving crafted DHCP packets. An attacker could exploit this vulnerability by sending a sequence of crafted DHCP packets to the affected system
Note: This vulnerability may be triggered by both transit traffic and traffic directed to the affected device. This vulnerability affects both routed and transparent firewall modes in both single-context and multicontext modes. This vulnerability can be triggered only by IPv4 traffic.
This vulnerability is documented in Cisco bug ID, CSCtw84068 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-4643
SSL VPN Authentication Denial of Service Vulnerability
The Cisco ASA Software includes two types of SSL VPN, which is a technology for remote access to corporate resources:
- Clientless SSL VPN provides access to Web applications, such as email, and corporate portals via Web browsers and Java components. It requires no client software.
- The AnyConnect SSL VPN Client.
A vulnerability exists in the implementation of the authentication, authorization and accounting (AAA) code for remote the SSL VPN (Clientless and AnyConnect) feature that could allow an unauthenticated, remote attacker to trigger a reload of the affected system. This vulnerability is due to insufficient validation of a crafted authentication response when a AAA challenge-response is required to complete the authentication process. An attacker could exploit this vulnerability by trying to authenticate on an ASA configured for SSL VPN with a crafted authentication challenge response.This vulnerability affects a Cisco ASA Software configured for Clientless or AnyConnect SSL VPN. Cisco ASA Software configured as an IPsec VPN Server, IPSEC/L2TP VPN Server or IKEv2 AnyConnect server is not affected.
Note: Only traffic destined to the affected device can be used to exploit this vulnerability. This vulnerability affects only Cisco ASA Software configured in routed and single context mode. This vulnerability can be triggered by IPv4 traffic only.
This vulnerability is documented in Cisco bug ID, CSCtz04566 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-4659
SIP Inspection Media Update Denial of Service Vulnerability
Session Initiation Protocol (SIP) as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences. SIP works with Session Description Protocol (SDP) for call signaling. SDP specifies the ports for the media stream. Cisco ASA Software supports dynamic allocation of ports for media stream via a dedicated SIP inspection engine.
A vulnerability exists in the SIP inspection engine code of the Cisco ASA Software, that may allow an unauthenticated, remote attacker to trigger a reload of the affected device. This vulnerability is due to improper processing of SIP media update packets. An attacker could exploit this vulnerability by sending a crafted SIP packet through the affected system. The packets that trigger this vulnerability must be part of an established SIP inspection session that needs to be inspected by the affected system.
Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multi-context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic.
This vulnerability is documented in Cisco bug ID, CSCtr63728 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-4660
DCERPC Inspection Buffer Overflow Vulnerability
DCERPC is a protocol that is widely used by Microsoft distributed client and server applications that allows software clients to remotely execute programs on a server.
A vulnerability exists in the DCERPC inspection engine that would allow an unauthenticated, remote attacker to cause a reload of the affected system or to overflow the stack and possibly execute arbitrary commands. The vulnerability is due to insufficient validation of DCERPC packets within a valid DCERPC session. An attacker could exploit this vulnerability by sending a crafted DCERPC packet that needs to be inspected by the affected system.
Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multi-context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic.
This vulnerability is documented in Cisco bug ID, CSCtr21359 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-4661
DCERPC Inspection Denial Of Service Vulnerabilities
Two vulnerabilities exist in the DCERPC inspection engine that would allow an unauthenticated, remote attacker to cause a reload of the affected system. The vulnerabilities are due to insufficient validation of DCERPC packets within a valid DCERPC session. An attacker could exploit this vulnerability by sending a crafted DCERPC packet that needs to be inspected by the affected system.
Note: Only transit traffic can be used to exploit these vulnerabilities. This vulnerabilities affects both routed and transparent firewall mode in both single and multi-context mode. These vulnerabilities can be triggered by IPv4 and IPv6 traffic.
These vulnerabilities are documented in Cisco bug IDs, CSCtr21376 (registered customers only) and CSCtr21346 (registered customers only) and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2012-4662 and CVE-2012-4663
-
The following section contains information about a workaround, if available, for each vulnerability described in this security advisory.
DHCP Memory Allocation Denial of Service Vulnerability
Besides disabling the DHCP server and DHCP relay features, there are no workarounds that mitigate this vulnerability.
SSL VPN Authentication Denial of Service Vulnerability
There are no workarounds that mitigate this vulnerability.
SIP Inspection Media Update Denial of Service Vulnerability
Disabling SIP inspection will mitigate this vulnerability.
The following commands will disable the SIP inspection that is configured by default:ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# no inspect sip
DCERPC Inspection Buffer Overflow Vulnerability and DCERPC Inspection Denial Of Service Vulnerabilities
Besides disabling the DCERPC inspection, there are no workarounds that mitigate these vulnerabilities.
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
DHCP Memory Allocation Denial of Service Vulnerability
Vulnerability Major Release
First Fixed Release
DHCP Memory Allocation Denial of Service Vulnerability - CSCtw84068
7.0 7.2(5.8)
7.1 7.2(5.8)
7.2 7.2(5.8)
8.0 8.0(5.28)
8.1 8.1(2.56)
8.2 8.2(5.27) 8.3 8.3(2.31) 8.4 8.4(3.10) 8.5 8.5(1.9)
8.6 8.6(1.5)
SSL VPN Authentication Denial of Service Vulnerability
Vulnerability Major Release
First Fixed Release
SSL VPN Authentication Denial of Service Vulnerability - CSCtz04566
7.0 Not Affected
7.1 Not Affected
7.2 Not Affected
8.0 Not Affected
8.1 Not Affected
8.2 8.2(5.30) 8.3 8.3(2.34)
8.4 Not Affected 8.5 Not Affected 8.6 Not Affected
SIP Inspection Media Update Denial of Service Vulnerability
Vulnerability Major Release
First Fixed Release
SIP Inspection Media Update Denial of Service Vulnerability - CSCtr63728
7.0 Not Affected
7.1 Not Affected
7.2 Not Affected
8.0 Not Affected
8.1 Not Affected 8.2 8.2(5.17) 8.3 8.3(2.28) 8.4 8.4(2.13) 8.5 8.5(1.4) 8.6 8.6(1.5)
DCERPC Inspection Buffer Overflow Vulnerability
Vulnerability Major Release
First Fixed Release
DCERPC Inspection Buffer Overflow Vulnerability - CSCtr21359
7.0 Not Affected
7.1 Not Affected
7.2 Not Affected 8.0 Not Affected 8.1 Not Affected 8.2 Not Affected 8.3 8.3(2.34) 8.4 8.4(4.4) 8.5 8.5(1.13) 8.6 8.6(1.3)
DCERPC Inspection Denial Of Service Vulnerabilities
Vulnerability Major Release
First Fixed Release
DCERPC Inspection Denial Of Service Vulnerabilities - CSCtr21376 and CSCtr21346
7.0 Not Affected
7.1 Not Affected
7.2 Not Affected 8.0 Not Affected 8.1 Not Affected 8.2 Not Affected 8.3 8.3(2.25) 8.4 8.4(2.5) 8.5 8.5(1.13) 8.6 Not Affected
Recommended Releases
The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases.
Major Release
Recommended Release
7.0 7.2(5.8) 7.1 7.2(5.8) 7.2 7.2(5.8) 8.0 8.0(5.28) 8.1 8.1(2.56) 8.2 8.2(5.33) 8.3 8.3(2.34) 8.4 8.4(4.5) 8.5 8.5(1.14) 8.6 8.6(1.5)
Software Download
Cisco ASA Software can be downloaded from the Software Center on Cisco.com by visiting http://www.cisco.com/cisco/software/navigator.htmlFor Cisco ASA 5500 Series Adaptive Security Appliances, navigate to Products > Security > Firewalls > Adaptive Security Appliances (ASA) > Cisco ASA 5500 Series Adaptive Security Appliances > <your Cisco ASA model> > Adaptive Security Appliance (ASA) Software. Please note that some of these versions are interim versions and they can be found by expanding the Interim tab on the download page.
For Cisco Catalyst 6500 Series ASA Services Module, navigate to Products > Cisco Interfaces and Modules > Cisco Services Modules >Cisco Catalyst 6500 Series ASA Services Module > ASA Services Module (ASASM) Software. Please note that some of these versions are interim versions and they can be found by expanding the Interim tab on the download page.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
All the vulnerabilities described in this security advisory were found during internal testing or discovered during the resolution of customer support cases.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0 2012-October-10 Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.