Cisco Security Advisory
Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA
AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
-
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities:
-
Erroneous SIP Processing Vulnerabilities
-
IPSec Client Authentication Processing Vulnerability
-
SSL VPN Memory Leak Vulnerability
-
URI Processing Error Vulnerability in SSL VPNs
-
Potential Information Disclosure in Clientless VPNs
Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080903-asa.
-
Erroneous SIP Processing Vulnerabilities
-
The following paragraphs describe the affected Cisco ASA and Cisco PIX software versions:
Vulnerable Products
The following sections provide details on the versions of Cisco ASA that are affected by each vulnerability.
The show version command-line interface (CLI) command can be used to determine if a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA device that runs software release 8.0(2):
ASA# show version Cisco Adaptive Security Appliance Software Version 8.0(2) Device Manager Version 6.0(1) [...]
Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find their software version displayed in a table in the login window or in the upper left corner of the ASDM window.
Erroneous SIP Processing Vulnerabilities
Cisco PIX and Cisco ASA devices configured for SIP inspection are vulnerable to multiple processing errors that may result in denial of service attacks. Cisco PIX and ASA software versions prior to 7.0(7)16, 7.1(2)71, 7.2(4)7, 8.0(3)20, and 8.1(1)8 are vulnerable to these SIP processing errors.
IPSec Client Authentication Processing Vulnerability
Cisco PIX and Cisco ASA devices that terminate remote access VPN connections are vulnerable to a denial of service attack if the device is running software versions prior to 7.2(4)2, 8.0(3)14, and 8.1(1)4. Cisco PIX and Cisco ASA devices that run software versions 7.0 and 7.1 are not affected by this vulnerability.
SSL VPN Memory Leak Vulnerability
Cisco ASA devices that terminate clientless remote access VPN connections are vulnerable to a denial of service attack affecting the SSL processing software if the device is running a software version prior to 7.2(4)2, 8.0(3)14, or 8.1(1)4. Cisco ASA devices that run software versions 7.0 and 7.1 are not affected by this vulnerability.
URI Processing Error Vulnerability in SSL VPNs
Cisco ASA devices that terminate clientless remote access VPN connections are vulnerable to a denial of service attack in the HTTP server if the device is running software versions prior to 8.0(3)15, and 8.1(1)5. Cisco ASA devices that run software versions 7.0, 7.1, or 7.2 are not affected by this vulnerability.
Potential Information Disclosure in Clientless VPNs
Cisco ASA devices that terminate clientless remote access VPN connections are vulnerable to potential information disclosure if the device is running affected 8.0 or 8.1 software versions. Cisco ASA devices running software versions 7.0, 7.1, or 7.2 are not affected by this vulnerability. Cisco ASA devices the run software versions prior to 8.0(3)15 and 8.1(1)4, or after 8.0(3)16 and 8.1(1)5 are also not affected by this vulnerability.
Products Confirmed Not Vulnerable
The Cisco Firewall Services Module (FWSM) is not affected by any of these vulnerabilities. Cisco PIX security appliances running software versions 6.x are not vulnerable. IOS, IOS XR, and Cisco Unified Boarder Elements (CUBE) are not vulnerable to these issues. No other Cisco products are currently known to be affected by these vulnerabilities.
-
The following sections provide details to help determine if a device may be affected by any of the vulnerabilities.
Erroneous SIP Processing Vulnerabilities
Cisco PIX and Cisco ASA devices configured for SIP inspection are vulnerable to multiple processing errors that may result in denial of service attacks. All Cisco PIX and Cisco ASA software releases may be vulnerable to these SIP processing vulnerabilities. A successful attack may result in a reload of the device.
SIP inspection is enabled with the inspect sip command.
To determine whether the Cisco PIX or Cisco ASA security appliance is configured to support inspection of sip packets, log in to the device and issue the CLI command show service-policy | include sip. If the output contains the text Inspect: sip and some statistics, then the device has a vulnerable configuration. The following example shows a vulnerable Cisco ASA Security Appliance:
asa#show service-policy | include sip Inspect: sip, packet 0, drop 0, reset-drop 0 asa#
These vulnerability is documented in the following Cisco Bug IDs and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2732.
-
CSCsq07867
(
registered customers only)
-
CSCsq57091
(
registered customers only)
-
CSCsk60581
(
registered customers only)
-
CSCsq39315
(
registered customers only)
IPSec Client Authentication Processing Vulnerability
Cisco PIX and Cisco ASA devices configured to terminate client based VPN connections are vulnerable to a crafted authentication processing vulnerability if they are running software versions 7.2, 8.0, or 8.1. Devices that run software versions 7.0 or 7.1 are not affected by this vulnerability.
A successful attack may result in a reload of the device.
Remote access VPN connections will have Internet Security Association and Key Management Protocol (ISAKMP) enabled on an interface with the crypto command, such as: crypto isakmp enable outside.
This vulnerability is documented in Cisco Bug ID CSCso69942 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2733.
SSL VPN Memory Leak Vulnerability and URI Processing Error Vulnerability in SSL VPNs
A crafted SSL or HTTP packet may cause a denial of service condition on a Cisco ASA device that is configured to terminate clientless VPN connections. A successful attack may result in a reload of the device.
Cisco ASA devices that run versions 7.2, 8.0, or 8.1 with clientless SSL VPNs enabled may be affected by this vulnerability. Devices that run software versions 7.0 and 7.1 are not affected by this vulnerability.
Clientless VPN, SSL VPN Client, and AnyConnect connections are enabled via the webvpn command. For example, the following configuration shows a Cisco ASA with Clientless VPNs configured and enabled. In this case the ASA will listen for VPN connections on the default port, TCP port 443:
http server enable ! webvpn enable outside
Note that with this particular configuration, the device is vulnerable to attacks coming from the outside interface due to the enable outside command within the webvpn group configuration.
These vulnerabilities are documented in Cisco Bug ID CSCso66472 ( registered customers only) and CSCsq19369 ( registered customers only) . They have been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2008-2734 and CVE-2008-2735.
Potential Information Disclosure in Clientless VPNs
On Cisco ASA devices configured to terminate clientless VPN connections, an attacker may be able to discover potentially sensitive information such as usernames and passwords. This attack requires an attacker to convince a user to visit a rogue web server, reply to an e-mail, or interact with a service to successfully exploit the vulnerability.
Cisco ASA devices running software versions 8.0 or 8.1 with clientless VPNs enabled may be affected by this vulnerability. Cisco ASA devices running that run software versions 7.0, 7.1, or 7.2 are not vulnerable to this vulnerability.
Clientless SSL VPN connections are enabled via the webvpn command. For example, the following configuration shows a Cisco ASA device with Clientless VPNs configured and enabled. In this case the Cisco ASA device will listen for VPN connections on the default port, TCP port 443:
http server enable ! webvpn enable outside
Note that with this particular configuration, the device is vulnerable to attacks coming from the outside interface due to the enable outside command within the webvpn group configuration.
This vulnerability is documented in Cisco Bug ID CSCsq45636 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2736.
-
CSCsq07867
(
registered customers only)
-
The following workarounds may help some customers mitigate these vulnerabilities.
Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080903-asa
Erroneous SIP Processing Vulnerabilities
SIP inspection should be disabled if it is not needed and temporarily disabling the feature will mitigate the SIP processing vulnerabilities. SIP inspection can be disabled with the command no inspect sip.
IPSec Authentication Processing Vulnerability
Use strong group credentials for remote access VPN connections and do not give out the group credentials to end users.
SSL VPN Memory Leak Vulnerability and URI Processing Error Vulnerability in SSL VPNs
IPSec clients are not vulnerable to this issue and may be used in conjunction with strong group credentials until the device can be upgraded.
Potential Information Disclosure in Clientless SSL VPNs
Client based VPN connections are not vulnerable to the information disclosure vulnerability. If you are running 8.0(3)15, 8.0(3)16, 8.1(1)4, or 8.1(1)5, you may safely use client based VPN connections as an alternative to clientless VPNs.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
The following list contains the first fixed software release of each vulnerability:
Vulnerability
Bug ID
Affected Release
First Fixed Release
Memory corruption with traceback in SIP inspection code
CSCsq07867
7.0
7.0(7)15
7.1
7.1(2)70
7.2
Not vulnerable
8.0
Not vulnerable
8.1
Not vulnerable
Memory corruption and traceback when inspecting malformed SIP packets
CSCsq57091
7.0
Not vulnerable
7.1
Not vulnerable
7.2
7.2(4)7
8.0
8.0(3)20
8.1
8.1(1)8
Device reload possible when SIP inspection is enabled
CSCsk60581
7.0
Not vulnerable
7.1
Not vulnerable
7.2
7.2(3)18
8.0
8.0(3)8
8.1
Not vulnerable
Traceback when processing malformed SIP requests
CSCsq39315
7.0
7.0(7)16
7.1
7.1(2)71
7.2
Not vulnerable
8.0
Not vulnerable
8.1
Not vulnerable
Traceback in Remote Access Authentication Code
CSCso69942
7.0
Not vulnerable
7.1
Not vulnerable
7.2
7.2(4)2
8.0
8.0(3)14
8.1
8.1(1)4
Crypto memory leak causing Clientless SSL VPNs to hang
CSCso66472
7.0
Not vulnerable
7.1
Not vulnerable
7.2
7.2(4)2
8.0
8.0(3)14
8.1
8.1(1)4
HTTP Processing Error in Clientless SSL VPN connections
CSCsq19369
7.0
Not vulnerable
7.1
Not vulnerable
7.2
Not vulnerable
8.0
8.0(3)15
8.1
8.1(1)5
Potential Information Disclosure in Clientless SSL VPNs
CSCsq45636
7.0
Not vulnerable
7.1
Not vulnerable
7.2
Not vulnerable
8.0
8.0(3)16
8.1
8.1(1)6
Recommended Release
7.0
7.0(7)16
7.1
7.1(2)72
7.2
7.2(4)9
8.0
8.0(4)
8.1
8.1(1)8
The "Recommended Release" row indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a version of the given release in a specific row (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Release" row of the table.
Fixed Cisco PIX software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/pix-interim?psrtdcat20e2
Fixed Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/asa-interim?psrtdcat20e2
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
These vulnerabilities were reported to Cisco by customers that experienced these issues during normal operation of their equipment and through internal testing efforts.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2008-Sept-03
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.