|
|
|
|
| |
Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20080123-asa.shtml
|
| |
Vulnerable Products
The TTL decrement feature was introduced in version 7.2(2) and it is disabled by default. The Cisco PIX and ASA security appliances running software versions prior to 7.2(3)006 or 8.0(3) and that have the TTL decrement feature enabled are vulnerable.
By default the PIX and ASA security appliance software does not decrement the TTL of transient packets. The ability to decrement the TTL of transient packets can be enabled on a selective or global basis by using the set connection decrement-ttl command in the policy-map class configuration mode. To determine whether you are running this feature use the show running-config command and search for the set connection decrement-ttl command. Alternatively you can use the include argument to search for this command as follows:
ASA#show running-config | include decrement-ttl
set connection decrement-ttl
ASA#
The set connection decrement-ttl command is part of a configured class-map. In order for this command to take effect it must be applied using a policy-map (assigned globally or to an interface). For more information about the Modular Policy Framework on the Cisco ASA and PIX refer to the following link: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html
To determine whether you are running a vulnerable version of Cisco PIX or ASA software, issue the show version command-line interface (CLI) command. The following example shows a Cisco ASA Security Appliance that runs software release 7.2(3):
ASA#show version
Cisco Adaptive Security Appliance Software Version 7.2(3)
[...]
Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following:
PIX Version 7.2(3)
Products Confirmed Not Vulnerable
Cisco PIX and ASA security appliances which do not support the TTL decrement feature or are not explicitly configured for it are not vulnerable.
Note: The TTL decrement feature was introduced in version 7.2(2), and it is disabled by default. The Cisco Firewall Services Module (FWSM) is not vulnerable.
No other Cisco products are currently known to be affected by this vulnerability.
Details
A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled. This vulnerability is documented in Cisco Bug ID CSCsk48199 ( registered customers only) .
Impact
Successful exploitation of the vulnerability described in this advisory will result in a reload of the affected device. Repeated exploitation can result in a sustained denial of service (DoS) condition.
Workarounds
Disable the TTL decrement feature using the no set connection decrement-ttl command in class configuration mode.
ASA(config)#policy-map localpolicy1
ASA(config-pmap)#class local_server
ASA(config-pmap-c)#no set connection decrement-ttl
ASA(config-pmap-c)#exit
For additional information on identifying and mitigating TTL based attacks, please refer to the Cisco Applied Intelligence White Paper "TTL Expiry Attack Identification and Mitigation", available at: http://cisco.com/web/about/security/intelligence/ttl-expiry.html.
Software Versions and Fixes
This vulnerability is fixed in software version 7.2(3)6 or 8.0(3) and later.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
|
|
|
|
|
