|
|
|
|
| |
Credit:
The original article can be found at: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6e14d.shtml
|
| |
Vulnerable Systems:
* Cisco ASA 5500 Series Adaptive Security Appliances
Immune Systems:
* Cisco PIX 500 Series Security Appliances
* Cisco Firewall Services Module
Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:
- Transparent Firewall Packet Buffer Exhaustion Vulnerability
- Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
- Routing Information Protocol (RIP) Denial of Service Vulnerability
- Unauthorized File System Access Vulnerability
These vulnerabilities are independent; a release that is affected by one vulnerability is not necessarily affected by the others.
Transparent Firewall Packet Buffer Exhaustion Vulnerability
A Cisco ASA 5500 Series Adaptive Security Appliance that is configured for transparent firewall mode is affected by a packet buffer exhaustion vulnerability that could cause an appliance to stop forwarding traffic once all packet buffers are depleted. The number of available packet buffers may decrease when a security appliance receives IPv6 traffic and is not configured for IPv6 operation. IPv6 transit traffic does not cause a problem.
SCCP Inspection Denial of Service Vulnerability
Cisco ASA 5500 Series Adaptive Security Appliances are affected by a vulnerability that could cause the appliance to reload when it processes a malformed SCCP message. Appliances are only vulnerable if SCCP inspection is enabled. Only transit traffic can trigger this vulnerability; traffic that is destined to the appliance will not trigger the vulnerability.
RIP Denial of Service Vulnerability
Cisco ASA 5500 Series Adaptive Security Appliances are affected by a vulnerability that could cause the appliance to reload when it processes valid RIP updates. Appliances are vulnerable only if both RIP and the Cisco Phone Proxy feature are enabled.
Note: the affected configuration requires that a global media termination address is configured, which is the only possible configuration option in Cisco ASA Software versions 8.0 and 8.1. However, it is possible to tie a media termination address to an interface in Cisco ASA Software version 8.2 and later. This configuration is not vulnerable.
Unauthorized File System Access Vulnerability
Cisco ASA 5500 Series Adaptive Security Appliances are affected by a vulnerability that could allow unauthorized users to access a file system (flash:, disk0:, disk1:, etc. but not system:) when the security appliance is configured as a local CA server. No authentication is required. File systems could contain sensitive information, such as backup device configurations (which may contain passwords or shared secrets), Cisco ASA Software images, or digital certificates.
Patch Availability:
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
Workaround:
Transparent Firewall Packet Buffer Exhaustion Vulnerability:
There are no workarounds for this vulnerability.
SCCP Inspection Denial of Service Vulnerability
Administrators can mitigate this vulnerability by disabling SCCP inspection if it is not required. Administrators can disable SCCP inspection by issuing the no inspect skinny command in class configuration submode in the policy map configuration.
RIP Denial of Service Vulnerability
There are no workarounds for Cisco ASA Software version 8.0 and 8.1. On Cisco ASA Software version 8.2 and later, administrators can configure a non-global media termination address by specifying a termination address that will be tied to a specific interface. For example:
router rip
...
!
media-termination <instance name>
address <IP address> interface <interface name>
!
<Rest of phone proxy feature configuration>
CVE Information:
CVE-2011-0393
CVE-2011-0394
CVE-2011-0395
CVE-2011-0396
Disclosure Timeline:
Revision 1.0 2011-February-23 Initial public release.
|
|
|
|
|
