A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0028 has been assigned to this vulnerability.
The TTL decrement feature was introduced in version 7.2(2) and it is disabled by default. The Cisco PIX and ASA security appliances running software versions prior to 7.2(3)006 or 8.0(3) and that have the TTL decrement feature enabled are vulnerable.
By default the PIX and ASA security appliance software does not decrement the TTL of transient packets. The ability to decrement the TTL of transient packets can be enabled on a selective or global basis by using the set connection decrement-ttl command in the policy-map class configuration mode. To determine whether you are running this feature use the show running-config command and search for the set connection decrement-ttl command. Alternatively you can use the include argument to search for this command as follows:
ASA#show running-config | include decrement-ttl
set connection decrement-ttl
To determine whether you are running a vulnerable version of Cisco PIX or ASA software, issue the show version command-line interface (CLI) command. The following example shows a Cisco ASA Security Appliance that runs software release 7.2(3):
Cisco Adaptive Security Appliance Software Version 7.2(3)
Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following:
PIX Version 7.2(3)
Products Confirmed Not Vulnerable
Cisco PIX and ASA security appliances which do not support the TTL decrement feature or are not explicitly configured for it are not vulnerable.
Note: The TTL decrement feature was introduced in version 7.2(2), and it is disabled by default. The Cisco Firewall Services Module (FWSM) is not vulnerable.
No other Cisco products are currently known to be affected by this vulnerability.
A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled. This vulnerability is documented in Cisco Bug ID CSCsk48199 ( registered customers only) .
Successful exploitation of the vulnerability described in this advisory will result in a reload of the affected device. Repeated exploitation can result in a sustained denial of service (DoS) condition.
Disable the TTL decrement feature using the no set connection decrement-ttl command in class configuration mode.
ASA(config-pmap-c)#no set connection decrement-ttl
Software Versions and Fixes
This vulnerability is fixed in software version 7.2(3)6 or 8.0(3) and later.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.