Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2010-0568 to a friend New vulnerability? New tool? Tell us	CVE-2010-0568 Cisco ASA 5500 Series Adaptive Security Appliances Multiple Vulnerabilities     Credit: The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2010-0568 Details Check for CVE-2010-0568 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Cisco ASA 5500 Series Adaptive Security Appliances To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command-line interface (CLI) command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.0(4): ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1)     <output truncated> Customers who use Cisco ASDM to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. The Cisco Firewall Services Module (FWSM) is affected by some of the vulnerabilities in this advisory. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml. Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances may experience a TCP connection exhaustion condition (no new TCP connections are accepted) that can be triggered through the receipt of specific TCP segments during the TCP connection termination phase. Appliances that are running versions 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected when they are configured for any of the following features: * SSL VPNs * Cisco Adaptive Security Device Manager (ASDM) Administrative Access * Telnet Access * SSH Access * Virtual Telnet * Virtual HTTP * Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- Two denial of service (DoS) vulnerabilities affect the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the "show service-policy | include sip" command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... ! service-policy global_policy global SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- A denial of service vulnerability affects the SCCP inspection feature of the Cisco ASA 5500 Series Adaptive Security Appliances. Versions 8.0.x, 8.1.x, and 8.2.x are affected. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the "show service-policy | include skinny" command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ Cisco ASA 5500 Series Adaptive Security Appliances are affected by a denial of service vulnerability that exists when WebVPN and DTLS are enabled. Affected versions include 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x. Administrators can enable WebVPN with the "enable " command in "webvpn" configuration mode. DTLS can be enabled by issuing the "svc dtls enable" command in "group policy webvpn" configuration mode. The following configuration snippet provides an example of a WebVPN configuration that enables DTLS: webvpn enable outside svc enable ... ! group-policy internal group-policy attributes ... webvpn svc dtls enable ... Altough WebVPN is disabled by default, DTLS is enabled by default in recent software releases. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances are affected by a denial of service vulnerability that can be triggered by a malformed TCP segment that transits the appliance. This vulnerability only affects configurations that use the "nailed" option at the end of their static statement. Additionally, traffic that matches "static" statement must also be inspected by a Cisco AIP-SSM (an Intrusion Prevention System (IPS) module) in inline mode. IPS inline operation mode is enabled by using the "ips inline {fail-close | fail-open}" command in "class" configuration mode. Cisco ASA 5500 Series Adaptive Security Appliances that are running software versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- A crafted IKE message that is sent through an IPsec tunnel that terminates on a Cisco ASA 5500 Series Adaptive Security Appliance could cause all IPsec tunnels that terminate on the same device to be torn down. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. IKE is not enabled by default. If IKE is enabled, the "isakmp enable " command appears in the configuration. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- An authentication bypass vulnerability affects Cisco ASA 5500 Series Adaptive Security Appliances when NTLMv1 authentication is configured. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. Administrators can configure NTLMv1 authentication by defining an Authentication, Authorization, and Accounting (AAA) server group that uses the NTLMv1 protocol with the "aaa-server protocol nt" command and then configuring a service that requires authentication to use that AAA server group. To verify that NTLMv1 authentication is enabled and active, issue the "show aaa-server protocol nt" command. Sample output is displayed in the following example: ciscoasa#show aaa-server protocol nt Server Group: test Server Protocol: nt Server Address: 192.168.10.11 Server port: 139 Server status: ACTIVE, Last transaction (success) at 11:10:08 UTC Fri Jan 29 Cisco PIX 500 Series Security Appliance Vulnerability Status +----------------------------------------------------------- Cisco PIX 500 Series Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * SIP Inspection Denial of Service Vulnerabilities * SCCP Inspection Denial of Service Vulnerability * Crafted IKE Message Denial of Service Vulnerability * NTLMv1 Authentication Bypass Vulnerability Because the Cisco PIX 500 Series Security Appliances reached End of Software Maintenance Releases on July 28, 2009, no further software releases will be available for the Cisco PIX 500 Series Security Appliances. Cisco PIX 500 Series Security Appliances customers are encouraged to migrate to Cisco ASA 5500 Series Adaptive Security Appliances or to implement any applicable workarounds that are listed in the "Workarounds" section of this advisory. Fixed software is available for the Cisco ASA 5500 Series Adaptive Security Appliances. For more information, refer to the End of Life announcement at: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html. Patch Availability: Note: Cisco ASA Software versions 7.1.x are affected by some of the vulnerabilities in this advisory. However, no fixed 7.1.x software versions are planned because the 7.1.x major release has reached the End of Software Maintenance Releases milestone. Refer to the EOL/EOS for the Cisco ASA 5500 Series Adaptive Security Appliance Software v7.1 notice for further information. Fixed Cisco ASA Software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT?psrtdcat20e2 Recommended Releases +------------------- Releases 7.0(8.10), 7.2(4.46), 8.0(5.9), 8.1(2.40) (available early March 2010), and 8.2(2.4) are recommended releases because they contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. Workaround: TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- It is possible to mitigate this vulnerability for TCP-based services that are offered to known clients. For example, it may be possible to restrict SSH, Cisco ASDM/HTTPS, and Telnet administrative access to known hosts or IP subnetworks. For other services like remote access SSL VPN, where clients connect from unknown hosts and networks, no mitigations exist. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- These vulnerabilities can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the "no inspect sip" command in class configuration sub-mode within policy-map configuration. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- This vulnerability can be mitigated by disabling SCCP inspection if it is not required. Administrators can disable SCCP inspection by issuing the "no inspect skinny" command in class configuration sub-mode within the policy-map configuration. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ This vulnerability can be mitigated by disabling DTLS transport for WebVPN. Administrators can disable DTLS by issuing the "no svc dtls enable" command under the "webvpn" attributes section of the corresponding group policy. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Possible workarounds for this vulnerability are the following: * Migrate from "nailed" static NAT entries to TCP-state bypass. * Use the Cisco AIP-SSM in promiscuous mode. This mode can be configured by issuing the "ips promiscuous" command in "class" configuration mode. * Disable IPS inspection for "nailed" static NAT entries. * If possible, change "nailed" static NAT entries to standard static NAT entries. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- A workaround for this vulnerability is to prevent UDP port 4500 traffic from ever traversing IPsec tunnels terminating on the Cisco ASA 5500 Series Adaptive Security Appliance. This may be feasible since in most cases there is no need for allowing IPsec tunnels inside IPsec tunnels. Filtering out UDP port 4500 traffic across an IPsec tunnel can be accomplished by using a VPN filter, as shown in the following example: !-- Deny only UDP port 4500 traffic and allow everything else access-list VPNFILTER extended deny udp any any eq 4500 access-list VPNFILTER extended permit ip any any !-- Create a group policy and specify a VPN filter that uses the !-- previous ACL group-policy VPNPOL internal group-policy VPNPOL attributes vpn-filter value VPNFILTER !-- Reference the group policy with the VPN filter from the tunnel group tunnel-group 172.16.0.1 type ipsec-l2l tunnel-group 172.16.0.1 general-attributes default-group-policy VPNPOL For this workaround to be effective, the group policy needs to be applied to all site-to-site (tunnel type "ipsec-l2l") and remote access (tunnel type "ipsec-ra") tunnel groups. Warning: In addition to filtering out IKE traffic on UDP port 4500, this workaround may also affect other procotols like DNS and SNMP that send traffic on UDP port 4500. For example, if a DNS resolver sends traffic from UDP port 4500 to a DNS server, the response from the DNS server will be destined to UDP port 4500, which then may be filtered out by the filter used in this workaround. For a more comprehensive example of the VPN filter feature of the Cisco ASA 5500 Series Adaptive Security Appliances, refer to the whitepaper "PIX/ASA 7.x and Later: VPN Filter (Permit Specific Port or Protocol) Configuration Example for L2L and Remote Access" available at: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml In addition, if the security appliance does not terminate any tunnels, the vulnerability can be mitigated by disabling IKE by issuing the "no isakmp enable <interface name>" command. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- If NTLMv1 authentication is required, there are no workarounds for this vulnerability. If NTLMv1 authentication can be substituted by other authentication protocols (LDAP, RADIUS, TACACS+, etc.), it is possible to mitigate the vulnerability. CVE Information: CVE-2010-0568 Disclosure Timeline: Release Date: 2010-02-17  Comments on CVE-2010-0568:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®