You are here

T-536: Cisco ASA Multiple Flaws Let Remote Users Deny Service and Bypass Security Controls

January 18, 2011 - 2:30pm

Addthis

PROBLEM:

Cisco ASA Multiple Flaws Let Remote Users Deny Service and Bypass Security Controls.

PLATFORM:

Cisco 5500 Series Adaptive Security Appliances (ASA)

ABSTRACT:

Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software vary depending on the specific vulnerability.

Cisco ASA 5500 Series Adaptive Security Appliances may experience a TCP connection exhaustion condition (no new TCP connections are accepted) that can be triggered through the receipt of specific TCP segments during the TCP connection termination phase. Appliances that are running versions 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected when they are configured for any of the following features:

* SSL VPNs
* Cisco Adaptive Security Device Manager (ASDM) Administrative Access
* Telnet Access
* SSH Access
* Virtual Telnet
* Virtual HTTP
* Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection

SIP Inspection Denial of Service Vulnerabilities:

Two denial of service (DoS) vulnerabilities affect the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default.

reference LINKS: 

Security Focus Bugtraq ID: 45768
SecurityTracker Alert ID: 1024963
CVE-2010-4692
CVE-2010-4691
CVE-2010-4690
CVE-2010-4689
CVE-2010-4688
CVE-2010-4682
CVE-2010-4681
CVE-2010-4680
CVE-2010-4679
CVE-2010-4678
CVE-2010-4677
CVE-2010-4676
CVE-2010-4675
CVE-2010-4674
CVE-2010-4673
CVE-2010-4672
CVE-2010-4670
CVE-2009-5037
Cisco Security Advisory KB25382
Cisco Release Notes
 

IMPACT ASSESSMENT:

High

Discussion:

TCP Connection Exhaustion Denial of Service Vulnerability:

Successful exploitation of this vulnerability may lead to an exhaustion condition where the affected appliance cannot accept new TCP connections. A reload of the appliance is necessary to recover from the TCP connection exhaustion condition. If a TCP-based protocol is used for device management (like telnet, SSH, or HTTPS), a serial console connection may be needed to access to the appliance. This vulnerability was discovered during the resolution of a customer service request.

SIP Inspection Denial of Service Vulnerabilities:

Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. Cisco Bug ID CSCsy91157 was discovered during internal testing. Cisco Bug ID CSCtc96018 was discovered during the resolution of customer service requests.

SCCP Inspection Denial of Service Vulnerability:

Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition.This vulnerability was discovered during the resolution of customer service requests.

WebVPN DTLS Denial of Service Vulnerability:

Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition.This vulnerability was discovered during the resolution of customer service requests.

Crafted TCP Segment Denial of Service Vulnerability:

Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition.This vulnerability was discovered during internal testing.

Crafted IKE Message Denial of Service Vulnerability:

Successful exploitation of this vulnerability could cause all IPsec VPN tunnels (LAN-to-LAN or remote) that terminate on the security appliance to be torn down and prevent new tunnels from being established. A manual reload of the appliance is required to re-establish all VPN tunnels.This vulnerability was discovered during the resolution of customer service requests.

NTLMv1 Authentication Bypass Vulnerability:

Successful exploitation of this vulnerability could result in unauthorized access to the network or appliance. This vulnerability was discovered during internal testing.

Solution:

Cisco has issued a fix (8.3(2)).
Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms.
Cisco Update

Addthis