|
|
|
|
| |
Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
|
| |
Affected Products:
The following sections provide details on the versions of Cisco ASA that are affected by each vulnerability.
The show version command-line interface (CLI) command can be used to determine if a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA device that runs software release 8.0(2):
ASA# show version
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(1)
[...]
Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find their software version displayed in a table in the login window or in the upper left corner of the ASDM window.
Erroneous SIP Processing Vulnerabilities
Cisco PIX and Cisco ASA devices configured for SIP inspection are vulnerable to multiple processing errors that may result in denial of service attacks. Cisco PIX and ASA software versions prior to 7.0(7)16, 7.1(2)71, 7.2(4)7, 8.0(3)20, and 8.1(1)8 are vulnerable to these SIP processing errors.
IPSec Client Authentication Processing Vulnerability
Cisco PIX and Cisco ASA devices that terminate remote access VPN connections are vulnerable to a denial of service attack if the device is running software versions prior to 7.2(4)2, 8.0(3)14, and 8.1(1)4. Cisco PIX and Cisco ASA devices that run software versions 7.0 and 7.1 are not affected by this vulnerability.
SSL VPN Memory Leak Vulnerability
Cisco ASA devices that terminate clientless remote access VPN connections are vulnerable to a denial of service attack affecting the SSL processing software if the device is running a software version prior to 7.2(4)2, 8.0(3)14, or 8.1(1)4. Cisco ASA devices that run software versions 7.0 and 7.1 are not affected by this vulnerability.
URI Processing Error Vulnerability in SSL VPNs
Cisco ASA devices that terminate clientless remote access VPN connections are vulnerable to a denial of service attack in the HTTP server if the device is running software versions prior to 8.0(3)15, and 8.1(1)5. Cisco ASA devices that run software versions 7.0, 7.1, or 7.2 are not affected by this vulnerability.
Potential Information Disclosure in Clientless VPNs
Cisco ASA devices that terminate clientless remote access VPN connections are vulnerable to potential information disclosure if the device is running affected 8.0 or 8.1 software versions. Cisco ASA devices running software versions 7.0, 7.1, or 7.2 are not affected by this vulnerability. Cisco ASA devices the run software versions prior to 8.0(3)15 and 8.1(1)4, or after 8.0(3)16 and 8.1(1)5 are also not affected by this vulnerability.
Products Confirmed Not Vulnerable:
The Cisco Firewall Services Module (FWSM) is not affected by any of these vulnerabilities. Cisco PIX security appliances running software versions 6.x are not vulnerable. IOS, IOS XR, and Cisco Unified Boarder Elements (CUBE) are not vulnerable to these issues. No other Cisco products are currently known to be affected by these vulnerabilities.
Details:
The following sections provide details to help determine if a device may be affected by any of the vulnerabilities.
Erroneous SIP Processing Vulnerabilities
Cisco PIX and Cisco ASA devices configured for SIP inspection are vulnerable to multiple processing errors that may result in denial of service attacks. All Cisco PIX and Cisco ASA software releases may be vulnerable to these SIP processing vulnerabilities. A successful attack may result in a reload of the device.
SIP inspection is enabled with the inspect sip command.
To determine whether the Cisco PIX or Cisco ASA security appliance is configured to support inspection of sip packets, log in to the device and issue the CLI command show service-policy | include sip. If the output contains the text Inspect: sip and some statistics, then the device has a vulnerable configuration. The following example shows a vulnerable Cisco ASA Security Appliance:
asa#show service-policy | include sip
Inspect: sip, packet 0, drop 0, reset-drop 0
asa#
CVE Information:
CVE-2008-2732
IPSec Client Authentication Processing Vulnerability
Cisco PIX and Cisco ASA devices configured to terminate client based VPN connections are vulnerable to a crafted authentication processing vulnerability if they are running software versions 7.2, 8.0, or 8.1. Devices that run software versions 7.0 or 7.1 are not affected by this vulnerability.
A successful attack may result in a reload of the device.
Remote access VPN connections will have Internet Security Association and Key Management Protocol (ISAKMP) enabled on an interface with the crypto command, such as: crypto isakmp enable outside.
CVE Information:
CVE-2008-2733
SSL VPN Memory Leak Vulnerability and URI Processing Error Vulnerability in SSL VPNs
A crafted SSL or HTTP packet may cause a denial of service condition on a Cisco ASA device that is configured to terminate clientless VPN connections. A successful attack may result in a reload of the device.
Cisco ASA devices that run versions 7.2, 8.0, or 8.1 with clientless SSL VPNs enabled may be affected by this vulnerability. Devices that run software versions 7.0 and 7.1 are not affected by this vulnerability.
Clientless VPN, SSL VPN Client, and AnyConnect connections are enabled via the webvpn command. For example, the following configuration shows a Cisco ASA with Clientless VPNs configured and enabled. In this case the ASA will listen for VPN connections on the default port, TCP port 443:
http server enable
!
webvpn
enable outside
Note that with this particular configuration, the device is vulnerable to attacks coming from the outside interface due to the enable outside command within the webvpn group configuration.
CVE Information:
CVE-2008-2734 and CVE-2008-2735
Potential Information Disclosure in Clientless VPNs
On Cisco ASA devices configured to terminate clientless VPN connections, an attacker may be able to discover potentially sensitive information such as usernames and passwords. This attack requires an attacker to convince a user to visit a rogue web server, reply to an e-mail, or interact with a service to successfully exploit the vulnerability.
Cisco ASA devices running software versions 8.0 or 8.1 with clientless VPNs enabled may be affected by this vulnerability. Cisco ASA devices running that run software versions 7.0, 7.1, or 7.2 are not vulnerable to this vulnerability.
Clientless SSL VPN connections are enabled via the webvpn command. For example, the following configuration shows a Cisco ASA device with Clientless VPNs configured and enabled. In this case the Cisco ASA device will listen for VPN connections on the default port, TCP port 443:
http server enable
!
webvpn
enable outside
Note that with this particular configuration, the device is vulnerable to attacks coming from the outside interface due to the enable outside command within the webvpn group configuration.
CVE Information:
CVE-2008-2736
Impact:
Successful exploitation of the Erroneous SIP Processing Vulnerabilities, IPSec Client Authentication Processing Vulnerability, SSL VPN Memory Leak Vulnerability, or URI Processing Error Vulnerability in SSL VPNs may result in the device reloading. This can be repeatedly exploited and may lead to a denial of service attack.
The Potential Information Disclosure in Clientless SSL VPNs vulnerability may allow an attacker to obtain user and group credentials if the user interacts with a rogue system or document.
Workarounds:
The following workarounds may help some customers mitigate these vulnerabilities.
Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080903-asa.shtml
Erroneous SIP Processing Vulnerabilities
SIP inspection should be disabled if it is not needed and temporarily disabling the feature will mitigate the SIP processing vulnerabilities. SIP inspection can be disabled with the command no inspect sip.
IPSec Authentication Processing Vulnerability
Use strong group credentials for remote access VPN connections and do not give out the group credentials to end users.
SSL VPN Memory Leak Vulnerability and URI Processing Error Vulnerability in SSL VPNs
IPSec clients are not vulnerable to this issue and may be used in conjunction with strong group credentials until the device can be upgraded.
Potential Information Disclosure in Clientless SSL VPNs
Client based VPN connections are not vulnerable to the information disclosure vulnerability. If you are running 8.0(3)15, 8.0(3)16, 8.1(1)4, or 8.1(1)5, you may safely use client based VPN connections as an alternative to clientless VPNs.
|
|
|
|
|
