‘Cisco ASA 5500 Series Adaptive Security Appliances Multiple Vulnerabilities’

Summary

Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities.’

Credit:

‘The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml


Details

Vulnerable Systems:
 * Cisco ASA 5500 Series Adaptive Security version 7.2
 * Cisco ASA 5500 Series Adaptive Security version 8.0
 * Cisco ASA 5500 Series Adaptive Security version 8.1
 * Cisco ASA 5500 Series Adaptive Security version 8.2

Immune Systems:
 * Cisco ASA 5500 Series Adaptive Security version 7.0
 * Cisco ASA 5500 Series Adaptive Security version 7.1
 * Cisco ASA 5500 Series Adaptive Security version 8.3

Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

SunRPC Inspection Denial of Service Vulnerabilities
####################################################

The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services can run on any port. When a client attempts to access a Sun RPC service on a server, it must learn the port that service is running on. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. Three DoS vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances, in which an unauthenticated attacker may cause the affected device to reload. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities can be triggered by using UDP packets, not TCP. These vulnerabilities are documented in Cisco bug IDs CSCtc77567 ( registered customers only) , CSCtc79922 ( registered cus tomers only) , and CSCtc85753 ( registered customers only) and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1578, CVE-2010-1579, and CVE-2010-1580, respectively.

Transport Layer Security (TLS) Denial of Service Vulnerabilities
################################################################

TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet. Three vulnerabilities exist on the Cisco ASA security appliances that can be triggered by a series of crafted TLS packets. An unauthenticated attacker may cause the affected device to reload. A Cisco ASA device configured for SSL VPN, TLS Proxy for Encrypted Voice Inspection, or configured to accept ASDM management connections is vulnerable. These vulnerabilities are documented in Cisco bug IDs CSCtd32627 ( registered customers only) , CSCtf37506 ( registered customers only) , and CSCtf55259 ( registered customers only) ; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1581, CVE-2010-2814, and CVE-2010-2815, respectively.

Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability
############################################################################

SIP, as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or ‘calls.’ SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the Cisco ASA can support any SIP VoIP gateways and VoIP proxy servers. To support SIP calls through the Cisco ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses. A DoS vulnerability affects the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. SIP inspection is enabled by default. During successful exploitation, an unauthenticated attacker may cause the affected device to reload. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. This vulnerability is documented in Cisco bug ID CSCtd32106 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2816.

Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
###########################################################################

IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used in conjunction with the IPsec standard. A DoS vulnerability exists in the IKE implementation of the Cisco ASA. During successful exploitation, an unauthenticated attacker may cause an affected device to reload. Note: Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is configured for IPsec remote access or site-to-site VPNs. This vulnerability is documented in Cisco bug ID CSCte46507 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2817.

Patch Availability:
N/A

Workaround:
SunRPC Inspection Denial of Service Vulnerabilities: These vulnerabilities can be mitigated by disabling SunRPC inspection if it is not required. Administrators can disable SunRPC inspection by issuing the no inspect sunrpc command in class configuration sub-mode within policy-map configuration.

Transport Layer Security (TLS) Denial of Service Vulnerabilities: If SSL VPN (clientless or client-based) is not needed, it can be disabled by issuing the clear configure webvpn command. Administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the http command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration:

hostname(config)# http 192.168.1.100 255.255.255.255

The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature can be disabled if it is not needed. Temporarily disabling the feature will mitigate these vulnerabilities. The Cut-Through Proxy for Network Access feature, when configured for HTTPS, is affected by these vulnerabilities. The only workaround is to disable the feature if not needed. To disable HTTPS Cut-Through Proxy authentication use the no aaa authentication listener https command, as shown in the following example:

ASA(config)# no aaa authentication listener https inside port 443

Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability: This vulnerability can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the no inspect sip command in class configuration sub-mode within policy-map configuration.

Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability: There are no workarounds for this vulnerability apart from disabling IKE on the affected device. The no crypto isakmp enable command can be used to disable IKE on a specific interface.

CVE Information:
CVE-2010-1578
CVE-2010-1579
CVE-2010-1580
CVE-2010-1581
CVE-2010-2814
CVE-2010-2815
CVE-2010-2816
CVE-2010-2817

Disclosure Timeline:
2010-August-04: Initial public release.’

Categories: News