AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
-
A vulnerability in the virtualization layer of the Cisco ASA FirePOWER Services and Cisco ASA Context Aware (CX) Services could allow an unauthenticated, remote attacker to cause the a reload of the affected system.
Cisco has released software updates that address this vulnerability. The resolution includes upgrading the Cisco ASA FirePOWER Services Software or the Cisco ASA CX Services Software and the Cisco ASA Software. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp
Note: Cisco ASA Software is affected by several other vulnerabilities described in the Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software, cisco-sa-20150408-asa.
Cisco ASA customers should review cisco-sa-20150408-asa before determining an upgrade release for Cisco ASA Software.
Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa
-
Vulnerable Products
This vulnerability affects the following products:
- Cisco ASA FirePOWER Services
- Cisco ASA Context-Aware (CX) Services
Determining the Cisco ASA FirePOWER Services Software Version
To determine the running version of Cisco ASA FirePOWER Service Software, issue the show version command from the Cisco ASA FirePOWER Services command-line interface, which an administrator can access via the serial console, an SSH session to the Cisco ASA FirePOWER Services management interface, or a session opened from the parent ASA using the session command.
The following example shows Cisco ASA FirePOWER software version 5.4.0:
> show version
---------[ asasfr ]----------
Model : ASA5512 (72) Version 5.4.0 (Build 763)
UUID : 1401763c-a7a5-11e4-9cfd-92a5551c2e4f
VDB version : 225
----------------------------------------------------
Customers using Cisco FireSIGHT Management Center to manage Cisco ASA FirePOWER Services systems can locate the software version of Cisco ASA FirePOWER Services in the Devices>Device Management and double click on the device name.
Determining the Cisco ASA-CX Services Software Version
To determine the running version of Cisco ASA CX Services Software, issue the show version command from the Cisco ASA CX command-line interface, which an administrator can access via the serial console, an SSH session to the ASA CX management interface, or a session opened from the parent ASA using the session command.
The following example shows Cisco ASA CX software version 9.0.1(40):
Customers using Cisco Prime Security Manager (PRSM) to manage Cisco ASA CX devices can locate the software version of Cisco ASA CX in the Device > Devices panel of the Cisco PRSM window.asangfw>show version Cisco ASA CX Platform 9.0.1 (40)
Determining the Cisco ASA Software Version
To determine the running version of Cisco ASA Software, administrators can issue the show version command. The following example shows a device running Cisco ASA Software version 9.2(1):
ciscoasa#show version | include Version
Cisco Adaptive Security Appliance Software Version 9.2(1)
Device Manager Version 7.4(1)Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window.
Products Confirmed Not Vulnerable
The following products are not affected by this vulnerability:
- Cisco ASA 5500-X IPS SSP
- Cisco FireSIGHT Management Center
- Cisco FirePOWER 7000 Appliance Series and Cisco FirePOWER 8000 Appliance Series
- Cisco IPS 4500 Series and Cisco IPS 4300 Series
- Cisco Virtual Next-Generation IPS (NGIPSv) for VMware
- Cisco ASA Software
- Cisco Prime Security Manager
No other Cisco products are currently known to be affected by this vulnerability.
-
Cisco ASA FirePOWER Services and Cisco ASA CX Services brings distinctive threat-focused next-generation security services to the Cisco ASA 5500-X Series Next-Generation Firewall products.
Cisco ASA FirePOWER Services provides comprehensive protection from known and advanced threats, including protection against targeted and persistent malware attacks.
Cisco ASA CX Services is an add-on services service that extends the Cisco ASA platform by delivering application and user ID awareness capabilities for enhanced visibility and control of network traffic.
A vulnerability in the virtualization layer of the Cisco ASA FirePOWER Services and Cisco ASA Context Aware (CX) Services could allow an unauthenticated, remote attacker to cause the reload of the affected system.
The vulnerability is due to improper handling of crafted packets sent at a high rate. An attacker could exploit this vulnerability by sending a high rate of crafted packets to the management interface of the Cisco ASA FirePOWER Services or Cisco ASA CX Services.
Note: Only traffic directed to the management interface of Cisco ASA FirePOWER Services or Cisco ASA CX Services can be used to exploit this vulnerability. This vulnerability can be exploited via IP version 4 and IP version 6. Due to the nature of this vulnerability an upgrade of the Cisco ASA FirePOWER Services Software or Cisco ASA CX Services Software and of the parent Cisco ASA Software is needed.
This vulnerability is documented in Cisco bug ID CSCus11007 (registered customers only) for Cisco ASA FirePOWER Services and CSCun56954 (registered customers only) for Cisco ASA CX Services.
The Cisco bug IDs CSCuo58584 (registered customers only) and CSCus13208 (registered customers only) are provided for reference and are used to document the changes in the Cisco ASA Software.
This vulnerability has been assigned Common Vulnerabilities and Exposures ID CVE-2015-0678.
-
There are no workarounds that mitigate this vulnerability.
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Cisco ASA FirePOWER Services
This vulnerability is fixed in Cisco ASA FirePOWER Software 5.3.1.2 and later or 5.4.0.1 and later.
Due to the nature of this vulnerability, Cisco ASA Software should also be upgraded to fix the vulnerability.
In addition to upgrading the Cisco ASA FirePOWER Software, customers need to upgrade the Cisco ASA Software to the following releases for the fix to be effective:
- Cisco ASA Software release 9.2(3.3) and later ( 9.2(3.4) and later)*
- Cisco ASA Software release 9.3(2) and later ( 9.3(3) and later)*
Cisco ASA customers should review cisco-sa-20150408-asa before determining an upgrade release for Cisco ASA Software. To facilitate this task the releases that fixes all vulnerabilities in cisco-sa-20150408-asa are marked in bold.
Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa
Cisco ASA CX Services
This vulnerability is fixed in Cisco ASA CX Software 9.3.2.1-9 and later.
Due to the nature of this vulnerability, Cisco ASA Software should also be upgraded to fix the vulnerability.
In addition to upgrading the Cisco ASA CX Software, customers need to upgrade the Cisco ASA Software to the following releases for the fix to be effective:
- Cisco ASA Software release 9.1(5.21) and later ( 9.1(6.1) and later)*
- Cisco ASA Software release 9.2(3) and later ( 9.2(3.4) and later)*
- Cisco ASA Software release 9.3(2) and later ( 9.3(3) and later)*
Cisco ASA customers should review cisco-sa-20150408-asa before determining an upgrade release for Cisco ASA Software. To facilitate this task the releases that fixes all vulnerabilities in cisco-sa-20150408-asa are marked in bold.
Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa
Note: Upgrading Cisco ASA FirePOWER Services Software or Cisco ASA CX Software to a fixed release without running one of the upgraded Cisco ASA Software releases in the preceding lists will not provide a fix for this vulnerability.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
This vulnerability was found during the resolution of support cases.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0 2015-April-08 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.