Cisco Security Advisory
Multiple Vulnerabilities in Cisco ASA Adaptive Security Appliance and Cisco PIX Security Appliances
AV:N/AC:L/Au:N/C:C/I:N/A:N/E:H/RL:OF/RC:C
-
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines the details of these vulnerabilities:
-
VPN Authentication Bypass when Account Override Feature is Used
vulnerability
-
Crafted HTTP packet denial of service (DoS) vulnerability
-
Crafted TCP Packet DoS vulnerability
-
Crafted H.323 packet DoS vulnerability
-
SQL*Net packet DoS vulnerability
-
Access control list (ACL) bypass vulnerability
Workarounds are available for some of the vulnerabilities.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090408-asa.
-
VPN Authentication Bypass when Account Override Feature is Used
vulnerability
-
Vulnerable Products
The following is a list of the products affected by each vulnerability as described in detail within this advisory.
VPN Authentication Bypass Vulnerability
Cisco ASA or Cisco PIX security appliances that are configured for IPsec or SSL-based remote access VPN and have the Override Account Disabled feature enabled are affected by this vulnerability.
Note: The Override Account Disabled feature was introduced in Cisco ASA software version 7.1(1). Cisco ASA and PIX software versions 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability. This feature is disabled by default.
Crafted HTTP Packet DoS Vulnerability
Cisco ASA security appliances may experience a device reload that can be triggered by a series of crafted HTTP packets, when configured for SSL VPNs or when configured to accept Cisco Adaptive Security Device Manager (ASDM) connections. Only Cisco ASA software versions 8.0 and 8.1 are affected by this vulnerability.
Crafted TCP Packet DoS Vulnerability
Cisco ASA and Cisco PIX security appliances may experience a memory leak that can be triggered by a series of crafted TCP packets. Cisco ASA and Cisco PIX security appliances running versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected when configured for any of the following features:
-
SSL VPNs
-
ASDM Administrative Access
-
Telnet Access
-
SSH Access
-
Cisco Tunneling Control Protocol (cTCP) for Remote Access VPNs
-
Virtual Telnet
-
Virtual HTTP
-
Transport Layer Security (TLS) Proxy for Encrypted Voice
Inspection
-
Cut-Through Proxy for Network Access
-
TCP Intercept
Crafted H.323 Packet DoS Vulnerability
Cisco ASA and Cisco PIX security appliances may experience a device reload that can be triggered by a series of crafted H.323 packets, when H.323 inspection is enabled. H.323 inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability.
SQL*Net Packet DoS Vulnerability
Cisco ASA and Cisco PIX security appliances may experience a device reload that can be triggered by a series of SQL*Net packets, when SQL*Net inspection is enabled. SQL*Net inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected by this vulnerability.
Access Control List Bypass Vulnerability
A vulnerability exists in the Cisco ASA and Cisco PIX security appliances that may allow traffic to bypass the implicit deny behavior at the end of ACLs that are configured within the device. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this vulnerability.
Determination of Software Versions
The show version command-line interface (CLI) command can be used to determine whether a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA Adaptive Security Appliance that runs software version 8.0(4):
ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1)
The following example shows a Cisco PIX security appliance that runs software version 8.0(4):
PIX#show version Cisco PIX Security Appliance Software Version 8.0(4) Device Manager Version 5.2(3)
Customers who use Cisco ASDM to manage their devices can find the software version displayed in the table in the login window or in the upper left corner of the ASDM window.
Products Confirmed Not Vulnerable
The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers and Cisco VPN 3000 Series Concentrators are not affected by any of these vulnerabilities. Cisco PIX Security Appliance Software versions 6.x are not affected by any of these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities.
-
SSL VPNs
-
This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other.
VPN Authentication Bypass Vulnerability
The Cisco ASA or Cisco PIX security appliance can be configured to override an account-disabled indication from a AAA server and allow the user to log on anyway. However, the user must provide the correct credentials in order to login to the VPN. A vulnerability exists in the Cisco ASA and Cisco PIX security appliances where VPN users can bypass authentication when the override account feature is enabled.
Note: The override account feature was introduced in Cisco ASA software version 7.1(1).
The override account feature is enabled with the override-account-disable command in tunnel-group general-attributes configuration mode, as shown in the following example. The following example allows overriding the "account-disabled" indicator from the AAA server for the WebVPN tunnel group "testgroup":
hostname(config)#tunnel-group testgroup type webvpn hostname(config)#tunnel-group testgroup general-attributes hostname(config-tunnel-general)#override-account-disable
Note: The override account feature is disabled by default.
This vulnerability is documented in Cisco Bug ID CSCsx47543 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1155.
Crafted HTTP Packet DoS Vulnerability
A crafted SSL or HTTP packet may cause a DoS condition on a Cisco ASA device that is configured to terminate SSL VPN connections. This vulnerability can also be triggered to any interface where ASDM access is enabled. A successful attack may result in a reload of the device. A TCP three-way handshake is needed to exploit this vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsv52239 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1156.
Crafted TCP Packet DoS Vulnerability
A crafted TCP packet may cause a memory leak on a Cisco ASA or Cisco PIX device. A successful attack may result in a sustained DoS condition. A Cisco ASA device configured for any of the following features is affected:
-
SSL VPNs
-
ASDM Administrative Access
-
Telnet Access
-
SSH Access
-
cTCP for Remote Access VPNs
-
Virtual Telnet
-
Virtual HTTP
-
TLS Proxy for Encrypted Voice Inspection
-
Cut-Through Proxy for Network Access
-
TCP Intercept
Note: This vulnerability may be triggered when crafted packets are sent to any TCP based service that terminates on the affected device. The vulnerability may also be triggered via transient traffic only if the TCP intercept features has been enabled. A TCP three-way handshake is not needed to exploit this vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsy22484 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1157.
Crafted H.323 Packet DoS Vulnerability
A crafted H.323 packet may cause a DoS condition on a Cisco ASA device that is configured with H.323 inspection. H.323 inspection is enabled by default. A successful attack may result in a reload of the device. A TCP three-way handshake is not needed to exploit this vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsx32675 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1158.
SQL*Net Packet DoS Vulnerability
The SQL*Net protocol consists of different packet types are handled by the security appliance to make the data stream appear consistent to the Oracle version 7.x and earlier implementations on either side of the Cisco ASA and Cisco PIX security appliances. A series of SQL*Net packets may cause a denial of service condition on a Cisco ASA and Cisco PIX device that is configured with SQL*Net inspection. SQL*Net inspection is enabled by default. A successful attack may result in a reload of the device.
The default port assignment for SQL*Net is TCP port 1521. This is the value used by Oracle for SQL*Net. Please note the class-map command can be used in the Cisco ASA or Cisco PIX to apply SQL*Net inspection to a range of different port numbers. A TCP three-way handshake is needed to exploit this vulnerability. The requirement of a TCP three way handshake significantly reduces the possibility of exploitation using packets with spoofed source addresses.
This vulnerability is documented in Cisco Bug ID CSCsw51809 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1159.
Access Control List Bypass Vulnerability
Access lists have an implicit deny behavior that is applied to packets that have not matched any of the permit or deny ACEs in an ACL and reach the end of the ACL. This implicit deny is there by design, does not require any configuration and can be understood as an implicit ACE that denies all traffic reaching the end of the ACL. A vulnerability exists in the Cisco ASA and Cisco PIX that may allow traffic to bypass the implicit deny ACE.
Note: This behavior only impacts the implicit deny statement on any ACL applied on the device. Access control lists with explicit deny statements are not affected by this vulnerability. This vulnerability is experienced in very rare occasions and extremely hard to reproduce.
You can trace the lifespan of a packet through the security appliance to see whether the packet is operating correctly with the packet tracer tool. The packet-tracer command provides detailed information about the packets and how they are processed by the security appliance. If a command from the configuration did not cause the packet to drop, the packet-tracer command will provide information about the cause in an easily readable manner. You can use this feature to see if the implicit deny on an ACL is not taking effect. The following example shows that the implicit deny is bypassed (result = ALLOW):
This vulnerability is documented in Cisco Bug ID CSCsq91277 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1160.
-
SSL VPNs
-
This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other.
VPN Authentication Bypass Vulnerability
The override account feature is enabled with the override-account-disable command in tunnel-group general-attributes configuration mode. As a workaround, disable this feature using the no override-account-disable command.
Crafted HTTP Packet DoS Vulnerability
Devices configured for SSL VPN (clientless or client-based) or accepting ASDM management connections are vulnerable.
Note: IPSec clients are not vulnerable to this vulnerability.
If SSL VPN (clientless or client-based) is not used, administrators should make sure that ASDM connections are only allowed from trusted hosts.
To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the http command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration:
hostname(config)# http 192.168.1.100 255.255.255.255
Crafted TCP Packet DoS Vulnerability
There are no workarounds for this vulnerability.
Crafted H.323 Packet DoS Vulnerability
H.323 inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. H.323 inspection can be disabled with the command no inspect h323.
SQL*Net Packet DoS Vulnerability
SQL*Net inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. SQL*Net inspection can be disabled with the command no inspect sqlnet.
Access Control List (ACL) Bypass Vulnerability
As a workaround, remove the access-group line applied on the interface where the ACL is configured and re-apply it. For example:
ASA(config)#no access-group acl-inside in interface inside ASA(config)#access-group acl-inside in interface inside
In the previous example the access group called acl-inside is removed and reapplied to the inside interface. Alternatively, you can add an explicit deny ip any any line in the bottom of the ACL applied on that interface. For example:
ASA(config)#access-list 100 deny ip any any
In the previous example, an explicit deny for all IP traffic is added at the end of access-list 100.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20090408-asa.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
The following table contains the first fixed software release of each vulnerability. The "Recommended Release" row indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a version of the given release in a specific row (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Release" row of the table.
Vulnerability
Affected Release
First Fixed Version
Recommended Release
VPN Authentication Bypass when Account Override Feature is Used Vulnerability
7.0
Not vulnerable
7.0(8)6
7.1
7.1(2)82
7.1(2)82
7.2
7.2(4)27
7.2(4)30
8.0
8.0(4)25
8.0(4)28
8.1
8.1(2)15
8.1(2)19
Crafted HTTP packet DoS Vulnerability
7.0
Not vulnerable
7.0(8)6
7.1
Not vulnerable
7.1(2)82
7.2
Not vulnerable
7.2(4)30
8.0
8.0(4)25
8.0(4)28
8.1
8.1(2)15
8.1(2)19
Crafted TCP Packet DoS Vulnerability
7.0
7.0(8)6
7.0(8)6
7.1
7.1(2)82
7.1(2)82
7.2
7.2(4)30
7.2(4)30
8.0
8.0(4)28
8.0(4)28
8.1
8.1(2)19
8.1(2)19
Crafted H.323 packet DoS Vulnerability
7.0
7.0(8)6
7.0(8)6
7.1
7.1(2)82
7.1(2)82
7.2
7.2(4)26
7.2(4)30
8.0
8.0(4)24
8.0(4)28
8.1
8.1(2)14
8.1(2)19
Crafted SQL packet DoS vulnerability
7.0
Not vulnerable
7.0(8)6
7.1
Not vulnerable
7.1(2)82
7.2
7.2(4)26
7.2(4)30
8.0
8.0(4)22
8.0(4)28
8.1
8.1(2)12
8.1(2)19
Access control list (ACL) bypass vulnerability
7.0
7.0(8)1
7.0(8)6
7.1
7.1(2)74
7.1(2)82
7.2
7.2(4)9
7.2(4)30
8.0
8.0(4)5
8.0(4)28
8.1
Not vulnerable
8.1(2)19
Fixed Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
Fixed Cisco PIX software can be downloaded from:
-
The Cisco PSIRT is aware of a publicly available proof of concept exploit for the crafted TCP packet DoS vulnerability. The Cisco PSIRT is not aware of any public announcements or malicious use of the other vulnerabilities described in this advisory.
The crafted TCP packet DoS vulnerability was discovered and reported to Cisco by Gregory W. MacPherson and Robert J. Combo from Verizon Business.
The ACL bypass vulnerability was reported to Cisco by Jon Ramsey, Jeff Jarmoc, and Fernando Medrano from SecureWorks.
The Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities, and welcomes the opportunity to review and assist in product reports.
All other vulnerabilities were found during internal testing and during the resolution of customer service requests.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.2
2009-April-13
Changed recommended release from 8.1(2)16 to 8.1(2)19 in Crafted HTTP packet DoS Vulnerability section of software table.
Revision 1.1
2009-April-08
Revision 1.0
2009-April-08
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.