|
Multiple vulnerabilities have been reported in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances which can be exploited by malicious people to cause Denial of Service (DoS)condition or to bypass control-plane access control lists (ACL).
Systems Affected
• Cisco Adaptive Security Appliance (ASA) 7.x
• Cisco Adaptive Security Appliance (ASA) 8.x
• Cisco PIX 7.x
• Cisco PIX 8.x
Overview
Multiple vulnerabilities have been reported in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances which can be exploited by malicious people to cause Denial of Service (DoS)condition or to bypass control-plane access control lists (ACL).
Description
Cisco PIX is a dedicated Hardware Firewall appliance. A Cisco ASA is a firewall and anti malware security appliance from Cisco System. The ASA (Adopted Security Algorithm) could take the place of three separate devices--a Cisco PIX firewall, a Cisco VPN Concentrator, and a Cisco IPS. The following vulnerabilities have been reported in Cisco PIX and ASA 5500 appliances.
1. Crafted TCP ACK Packet Vulnerability (CVE-2008-2055)
The vulnerability exists due to an error that may occur when processing malformed TCP ACK packets sent to the Telnet, SSH, Adaptive Security Device Manager (ASDM), or WebVPN ports of the affected system. A remote attacker could exploit this vulnerability by sending a malicious TCP packet to certain exposed services on an affected device. When processed, the packet could cause the affected device to stop responding to further requests, resulting in a DoS condition.
This vulnerability affects the PIX and ASA devices if they are running version 7.1.x or 7.2.x and if either Secure Shell (SSH), Web-VPN, or ASDM services is enabled. The devices have been found vulnerable for version 8.0 also if either Secure Shell (SSH), WebVPN, ASDM or telnet service is enabled.
Workarounds
* Administrators are advised to restrict remote Telnet, SSH, and ASDM network access from trusted hosts to affected devices.
* Filters that deny TCP ports 22, 23, 80, and 443 packets may be deployed throughout the network as part of a transit ACL (tACL) policy for protection of traffic which enters the network at ingress access point.
Additional information about tACLs is available at the following
http://www.cisco.com/en/US/tech/tk648/tk361/technologies
_white_paper09186a00801afc76.shtml
2. Crafted TLS Packet Vulnerability (CVE-2008-2056)
Cisco ASA and PIX use Transport Layer Security (TLS), a protocol based on cryptography for secure communication. The vulnerability exists due to an error in handling TLS packets when the HTTPS server is enabled. A remote attacker could exploit this vulnerability by sending a crafted TLS packet to a port on the affected system that is being used by an application that handles TLS packets. A successful attack could allow the attacker to cause the device in a DoS condition, resulting to crash.
This vulnerability affects software version 8.0.x and 8.1.x.
3. Instant Messenger Inspection Vulnerability
The Cisco ASA and Cisco PIX Instant Messenger (IM) inspection engine is used to apply fine grained controls on the IM application usage within the network.
The vulnerability is due to errors in handling malformed network packets on devices using the Cisco PIX and Cisco ASA Instant Messenger inspection engine. A remote attacker could exploit this vulnerability by sending specially crafted Instant Messenger (IM) packets to the affected device. While processing, these packets could cause an error rendering the device unavailable, resulting in a DoS condition. Only devices with the Instant Messenger Inspection option enabled are affected.
This vulnerability affects software versions 7.2.x, 8.0.x, and 8.1.x.
Workaround
* Disable IM inspection on the security appliance
4. Port Scan Denial of Service Vulnerability (CVE-2008-2058)
The vulnerability exists because the security appliances do not properly respond to certain types of vulnerability port scans. An attacker could exploit this vulnerability by running a malicious port scan over TCP port 443 with certain unspecified scanners against a vulnerable machine. An exploit could cause the agent to reload, resulting in a DoS condition.
This vulnerability affects software versions 7.2.x and 8.0.x.
5. Control-plane Access Control List Vulnerability
(CVE-2008-2059)
The vulnerability is due to an error in enforcing control-plane Access Control Lists (ACLs). These ACLs may not function correctly after the initial configuration of the PIX and ASA software. A remote attacker could exploit this lack of control-plane ACLs to send malicious traffic directly to the target device.
This vulnerability affects software versions 8.0.x.
Solution
Apply appropriate fixed versions as mentioned in CISCO Security Advisory below.
http://www.cisco.com/warp/public/707/cisco-sa-20080604-asa.shtml
|
