VARIoT IoT vulnerabilities database

Unspecified vulnerability in the IKE implementation on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.0 before 7.0(8.11), 7.1 and 7.2 before 7.2(5), 8.0 before 8.0(5.15), 8.1 before 8.1(2.44), 8.2 before 8.2(2.10), and 8.3 before 8.3(1.1) and Cisco PIX Security Appliances 500 series devices allows remote attackers to cause a denial of service (device reload) via a crafted IKE message, aka Bug ID CSCte46507. plural Cisco Run on product IKE The implementation of IKE Service operation disruption due to incomplete message processing (DoS) There is a vulnerability that becomes a condition. The problem is Bug ID : CSCte46507 It is a problem.Skillfully crafted by a third party IKE Service disruption via message (DoS) There is a possibility of being put into a state. Cisco ASA security appliances are prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause the affected device to reload, denying service to legitimate users. This issue is documented in Cisco bug ID CSCte46507. ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: Cisco ASA 5500 Series Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA40842 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40842/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 RELEASE DATE: 2010-08-05 DISCUSS ADVISORY: http://secunia.com/advisories/40842/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40842/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco ASA (Adaptive Security Appliance) 5500 Series, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) Three errors exist in the SunRPC inspection engine while processing certain SunRPC messages. This can be exploited to reload a device via specially crafted UDP SunRPC packets that transit the appliance. 3) An error in the Session Initiation Protocol (SIP) inspection feature can be exploited to trigger an appliance reload via a specially crafted SIP packet that transits the appliance via TCP or UDP port 5060. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: cisco-sa-20100804-asa: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. Vulnerable Products +------------------ For specific version information, refer to the Software Versions and Fixes section of this advisory. A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, issue the "show service-policy | include sunrpc" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include sunrpc Inspect: sunrpc, packet 0, drop 0, reset-drop 0 The following configuration commands are used to enable SunRPC inspection in the Cisco ASA. class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, 8.2.x, and 8.3.x are affected by one or more of these vulnerabilities. A Cisco ASA device configured for any of the following features is affected: * Secure Socket Layer Virtual Private Network (SSL VPN) * When the affected device is configured to accept Cisco Adaptive Security Device Manager (ASDM) connections * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access when using HTTPS SSL VPN (or WebVPN) is enabled with the "enable <interface name>" command in "webvpn" configuration mode. SSL VPN is disabled by default. The following configuration snippet provides an example of a SSL VPN configuration. webvpn enable outside ... ASDM access is affected by three of these vulnerabilities. To use ASDM, the HTTPS server must be enabled to allow HTTPS connections to the Cisco ASA. The server can be enabled using the "http server enable [port]" command. The default port is 443. To specify hosts that can access the HTTP server internal to the security appliance, use the "http" command in global configuration mode. The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature was introduced in Cisco ASA version 8.0(2) and is disabled by default. To determine if the TLS Proxy for Encrypted Voice Inspection feature is enabled on the device, use the show tls-proxy command, as shown in the following example: ciscoasa# show tls-proxy Maximum number of sessions: 1200 TLS-Proxy 'sip_proxy': ref_cnt 1, seq# 3 Server proxy: Trust-point: local_ccm Client proxy: Local dynamic certificate issuer: LOCAL-CA-SERVER Local dynamic certificate key-pair: phone_common Cipher suite: aes128-sha1 aes256-sha1 Run-time proxies: Proxy 0xcbae1538: Class-map: sip_ssl, Inspect: sip Active sess 1, most sess 3, byte 3456043 ... <output truncated> TLS proxy supports SIP and Skinny protocols. TLS proxy for Skinny inspection can be enabled using the "inspect skinny <skinny_map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect skinny my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global Note: Secure SCCP uses TCP port 2443; however, it can be configured to a different port. TLS proxy for SIP inspection can be enabled using the "inspect sip <map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect sip my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global The Cisco ASA is also vulnerable when the Cut-Through Proxy for Network Access feature is used with HTTPS. This feature is enabled for direct authentication using HTTPS with the "aaa authentication listener https" command, as shown in the following example: ASA(config)# aaa authentication listener https inside port 443 Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A DoS vulnerability affects the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x are not affected. Versions 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the "show service-policy | include sip" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... ! service-policy global_policy global Note: The service policy could also be applied to a specific interface instead of a global configuration shown in the previous example. IKE is not enabled by default. If IKE is enabled, the "isakmp enable <interface name>" command appears in the configuration. For more information, refer to the End of Life announcement at: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html How to Determine the Running Software Version ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.3(1): ASA#show version | include Version Cisco Adaptive Security Appliance Software Version 8.3(1) Device Manager Version 6.3(1) Customers who use Cisco ASDM to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. Products Confirmed Not Vulnerable +-------------------------------- With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities. It offers firewall, intrusion prevention system (IPS), anti-X, and VPN services. Sun RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services can run on any port. When a client attempts to access a Sun RPC service on a server, it must learn the port that service is running on. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities can be triggered by using UDP packets, not TCP. These vulnerabilities are documented in Cisco bug IDs CSCtc77567, CSCtc79922, and CSCtc85753; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1578, CVE-2010-1579, and CVE-2010-1580, respectively. Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet. A Cisco ASA device configured for SSL VPN, TLS Proxy for Encrypted Voice Inspection, or configured to accept ASDM management connections is vulnerable. These vulnerabilities are documented in Cisco bug IDs CSCtd32627, CSCtf37506, and CSCtf55259; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1581, CVE-2010-2814, and CVE-2010-2815, respectively. Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SIP, as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the Cisco ASA can support any SIP VoIP gateways and VoIP proxy servers. To support SIP calls through the Cisco ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses. SIP inspection is enabled by default. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used in conjunction with the IPsec standard. Note: Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is configured for IPsec remote access or site-to-site VPNs. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtc77567, CSCtc79922 and CSCtc85753 - SunRPC Inspection DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32627, CSCtf37506, and CSCtf55259- Transport Layer Security (TLS) DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32106 - Session Initiation Protocol (SIP) Inspection DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCte46507 - Crafted Internet Key Exchange (IKE) Message DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities described in this security advisory may cause the affected device to reload. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | SunRPC Inspection DoS Vulnerabilities |---------+----------------| | (CSCtc77567, CSCtc79922, and | 8.0 | 8.0(5.19) | | CSCtc85753) |---------+----------------| | | 8.1 | 8.1(2.46) | | |---------+----------------| | | 8.2 | 8.2(2) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | TLS DoS Vulnerabilities (CSCtd32627, |---------+----------------| | CSCtf37506, and CSCtf55259) | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.17) | | |---------+----------------| | | 8.3 | 8.3(1.6) | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | Not vulnerable | | SIP Inspection DoS Vulnerability |---------+----------------| | (CSCtd32106) | 8.0 | 8.0(5.17) | | |---------+----------------| | | 8.1 | 8.1(2.45) | | |---------+----------------| | | 8.2 | 8.2(2.13) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | 7.0(8.11) | | |---------+----------------| | | | Vulnerable; | | | 7.1 | migrate to | | | | 7.2(5) | | |---------+----------------| | IKE Message DoS Vulnerability | 7.2 | 7.2(5) | | (CSCte46507) |---------+----------------| | | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.10) | | |---------+----------------| | | 8.3 | 8.3(1.1) | +-------------------------------------------------------------------+ Note: Cisco ASA Software versions 7.1.x are affected by some of the vulnerabilities in this advisory. However, no fixed 7.1.x software versions are planned because the 7.1.x major release has reached the End of Software Maintenance Releases milestone. Refer to the EOL/EOS for the Cisco ASA 5500 Series Adaptive Security Appliance Software v7.1 notice for further information: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/end_of_life_notice_cisco_asa_5500_series_adaptive_sec_app_sw.html Recommended Releases ~~~~~~~~~~~~~~~~~~~~ The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. +-------------------------------------------------------------------+ | Major Release | Recommended Release | |---------------------+---------------------------------------------| | 7.0 | 7.0(8.11) | |---------------------+---------------------------------------------| | 7.1 | Vulnerable; migrate to 7.2(5) | |---------------------+---------------------------------------------| | 7.2 | 7.2(5) | |---------------------+---------------------------------------------| | 8.0 | 8.0(5.19) | |---------------------+---------------------------------------------| | 8.1 | 8.1(2.47) | |---------------------+---------------------------------------------| | 8.2 | 8.2(2.17) | |---------------------+---------------------------------------------| | 8.3 | 8.3(2) | +-------------------------------------------------------------------+ Software Download ~~~~~~~~~~~~~~~~~ Cisco ASA Software versions 7.0(8.11), 8.0(5.19), 8.1(2.46), and 8.2(2.17) can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT?psrtdcat20e2 Cisco ASA Software versions 7.2(5) and 8.3(2) can be downloaded from: http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=279513386 Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. In addition to the recommendations described below, mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100804-asa.shtml SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These vulnerabilities can be mitigated by disabling SunRPC inspection if it is not required. Administrators can disable SunRPC inspection by issuing the "no inspect sunrpc" command in class configuration sub-mode within policy-map configuration. Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If SSL VPN (clientless or client-based) is not needed, it can be disabled by issuing the "clear configure webvpn" command. Administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the http command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration: hostname(config)# http 192.168.1.100 255.255.255.255 The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature can be disabled if it is not needed. Temporarily disabling the feature will mitigate these vulnerabilities. The Cut-Through Proxy for Network Access feature, when configured for HTTPS, is affected by these vulnerabilities. The only workaround is to disable the feature if not needed. To disable HTTPS Cut-Through Proxy authentication use the "no aaa authentication listener https" command, as shown in the following example: ASA(config)# no aaa authentication listener https inside port 443 Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This vulnerability can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the "no inspect sip" command in class configuration sub-mode within policy-map configuration. The "no crypto isakmp enable <interface-name>" command can be used to disable IKE on a specific interface. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. One of the TLS DoS vulnerabilities was reported to Cisco by CERT-FI. All the other vulnerabilities described in this advisory were found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-August-04 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMWYoH86n/Gc8U/uARAg8JAJ0W8ZSUZ0ldj0ncoIfxVKVuVeieygCgkLs4 GGmQ+3yNpX0udKpkA2431fg= =yQWz -----END PGP SIGNATURE-----

Unspecified vulnerability in the Transport Layer Security (TLS) implementation on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.2 before 7.2(5), 8.0 before 8.0(5.15), 8.1 before 8.1(2.44), 8.2 before 8.2(2.17), and 8.3 before 8.3(1.6) and Cisco PIX Security Appliances 500 series devices allows remote attackers to cause a denial of service (device reload) via a sequence of crafted TLS packets, aka Bug ID CSCtf37506. The problem is Bug ID : CSCtd37506 It is a problem.Skillfully crafted by a third party TLS Denial of service through a sequence of packets (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to cause the affected device to crash and reload, denying service to legitimate users. This issue being tracked by Cisco bug ID CSCtf37506. ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: Cisco ASA 5500 Series Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA40842 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40842/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 RELEASE DATE: 2010-08-05 DISCUSS ADVISORY: http://secunia.com/advisories/40842/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40842/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco ASA (Adaptive Security Appliance) 5500 Series, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) Three errors exist in the SunRPC inspection engine while processing certain SunRPC messages. This can be exploited to reload a device via specially crafted UDP SunRPC packets that transit the appliance. 3) An error in the Session Initiation Protocol (SIP) inspection feature can be exploited to trigger an appliance reload via a specially crafted SIP packet that transits the appliance via TCP or UDP port 5060. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: cisco-sa-20100804-asa: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Vulnerable Products +------------------ For specific version information, refer to the Software Versions and Fixes section of this advisory. A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, issue the "show service-policy | include sunrpc" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include sunrpc Inspect: sunrpc, packet 0, drop 0, reset-drop 0 The following configuration commands are used to enable SunRPC inspection in the Cisco ASA. class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, 8.2.x, and 8.3.x are affected by one or more of these vulnerabilities. A Cisco ASA device configured for any of the following features is affected: * Secure Socket Layer Virtual Private Network (SSL VPN) * When the affected device is configured to accept Cisco Adaptive Security Device Manager (ASDM) connections * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access when using HTTPS SSL VPN (or WebVPN) is enabled with the "enable <interface name>" command in "webvpn" configuration mode. SSL VPN is disabled by default. The following configuration snippet provides an example of a SSL VPN configuration. webvpn enable outside ... ASDM access is affected by three of these vulnerabilities. To use ASDM, the HTTPS server must be enabled to allow HTTPS connections to the Cisco ASA. The server can be enabled using the "http server enable [port]" command. The default port is 443. To specify hosts that can access the HTTP server internal to the security appliance, use the "http" command in global configuration mode. The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature was introduced in Cisco ASA version 8.0(2) and is disabled by default. To determine if the TLS Proxy for Encrypted Voice Inspection feature is enabled on the device, use the show tls-proxy command, as shown in the following example: ciscoasa# show tls-proxy Maximum number of sessions: 1200 TLS-Proxy 'sip_proxy': ref_cnt 1, seq# 3 Server proxy: Trust-point: local_ccm Client proxy: Local dynamic certificate issuer: LOCAL-CA-SERVER Local dynamic certificate key-pair: phone_common Cipher suite: aes128-sha1 aes256-sha1 Run-time proxies: Proxy 0xcbae1538: Class-map: sip_ssl, Inspect: sip Active sess 1, most sess 3, byte 3456043 ... <output truncated> TLS proxy supports SIP and Skinny protocols. TLS proxy for Skinny inspection can be enabled using the "inspect skinny <skinny_map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect skinny my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global Note: Secure SCCP uses TCP port 2443; however, it can be configured to a different port. TLS proxy for SIP inspection can be enabled using the "inspect sip <map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect sip my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global The Cisco ASA is also vulnerable when the Cut-Through Proxy for Network Access feature is used with HTTPS. This feature is enabled for direct authentication using HTTPS with the "aaa authentication listener https" command, as shown in the following example: ASA(config)# aaa authentication listener https inside port 443 Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A DoS vulnerability affects the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x are not affected. Versions 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the "show service-policy | include sip" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... ! service-policy global_policy global Note: The service policy could also be applied to a specific interface instead of a global configuration shown in the previous example. IKE is not enabled by default. If IKE is enabled, the "isakmp enable <interface name>" command appears in the configuration. For more information, refer to the End of Life announcement at: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html How to Determine the Running Software Version ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.3(1): ASA#show version | include Version Cisco Adaptive Security Appliance Software Version 8.3(1) Device Manager Version 6.3(1) Customers who use Cisco ASDM to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. Products Confirmed Not Vulnerable +-------------------------------- With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities. It offers firewall, intrusion prevention system (IPS), anti-X, and VPN services. Sun RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services can run on any port. When a client attempts to access a Sun RPC service on a server, it must learn the port that service is running on. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities can be triggered by using UDP packets, not TCP. These vulnerabilities are documented in Cisco bug IDs CSCtc77567, CSCtc79922, and CSCtc85753; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1578, CVE-2010-1579, and CVE-2010-1580, respectively. A Cisco ASA device configured for SSL VPN, TLS Proxy for Encrypted Voice Inspection, or configured to accept ASDM management connections is vulnerable. These vulnerabilities are documented in Cisco bug IDs CSCtd32627, CSCtf37506, and CSCtf55259; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1581, CVE-2010-2814, and CVE-2010-2815, respectively. Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SIP, as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the Cisco ASA can support any SIP VoIP gateways and VoIP proxy servers. To support SIP calls through the Cisco ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses. SIP inspection is enabled by default. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used in conjunction with the IPsec standard. A DoS vulnerability exists in the IKE implementation of the Cisco ASA. Note: Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is configured for IPsec remote access or site-to-site VPNs. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtc77567, CSCtc79922 and CSCtc85753 - SunRPC Inspection DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32627, CSCtf37506, and CSCtf55259- Transport Layer Security (TLS) DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32106 - Session Initiation Protocol (SIP) Inspection DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCte46507 - Crafted Internet Key Exchange (IKE) Message DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities described in this security advisory may cause the affected device to reload. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | SunRPC Inspection DoS Vulnerabilities |---------+----------------| | (CSCtc77567, CSCtc79922, and | 8.0 | 8.0(5.19) | | CSCtc85753) |---------+----------------| | | 8.1 | 8.1(2.46) | | |---------+----------------| | | 8.2 | 8.2(2) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | TLS DoS Vulnerabilities (CSCtd32627, |---------+----------------| | CSCtf37506, and CSCtf55259) | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.17) | | |---------+----------------| | | 8.3 | 8.3(1.6) | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | Not vulnerable | | SIP Inspection DoS Vulnerability |---------+----------------| | (CSCtd32106) | 8.0 | 8.0(5.17) | | |---------+----------------| | | 8.1 | 8.1(2.45) | | |---------+----------------| | | 8.2 | 8.2(2.13) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | 7.0(8.11) | | |---------+----------------| | | | Vulnerable; | | | 7.1 | migrate to | | | | 7.2(5) | | |---------+----------------| | IKE Message DoS Vulnerability | 7.2 | 7.2(5) | | (CSCte46507) |---------+----------------| | | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.10) | | |---------+----------------| | | 8.3 | 8.3(1.1) | +-------------------------------------------------------------------+ Note: Cisco ASA Software versions 7.1.x are affected by some of the vulnerabilities in this advisory. However, no fixed 7.1.x software versions are planned because the 7.1.x major release has reached the End of Software Maintenance Releases milestone. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. +-------------------------------------------------------------------+ | Major Release | Recommended Release | |---------------------+---------------------------------------------| | 7.0 | 7.0(8.11) | |---------------------+---------------------------------------------| | 7.1 | Vulnerable; migrate to 7.2(5) | |---------------------+---------------------------------------------| | 7.2 | 7.2(5) | |---------------------+---------------------------------------------| | 8.0 | 8.0(5.19) | |---------------------+---------------------------------------------| | 8.1 | 8.1(2.47) | |---------------------+---------------------------------------------| | 8.2 | 8.2(2.17) | |---------------------+---------------------------------------------| | 8.3 | 8.3(2) | +-------------------------------------------------------------------+ Software Download ~~~~~~~~~~~~~~~~~ Cisco ASA Software versions 7.0(8.11), 8.0(5.19), 8.1(2.46), and 8.2(2.17) can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT?psrtdcat20e2 Cisco ASA Software versions 7.2(5) and 8.3(2) can be downloaded from: http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=279513386 Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. In addition to the recommendations described below, mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100804-asa.shtml SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These vulnerabilities can be mitigated by disabling SunRPC inspection if it is not required. Administrators can disable SunRPC inspection by issuing the "no inspect sunrpc" command in class configuration sub-mode within policy-map configuration. Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If SSL VPN (clientless or client-based) is not needed, it can be disabled by issuing the "clear configure webvpn" command. Administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the http command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration: hostname(config)# http 192.168.1.100 255.255.255.255 The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature can be disabled if it is not needed. Temporarily disabling the feature will mitigate these vulnerabilities. The Cut-Through Proxy for Network Access feature, when configured for HTTPS, is affected by these vulnerabilities. The only workaround is to disable the feature if not needed. To disable HTTPS Cut-Through Proxy authentication use the "no aaa authentication listener https" command, as shown in the following example: ASA(config)# no aaa authentication listener https inside port 443 Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This vulnerability can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the "no inspect sip" command in class configuration sub-mode within policy-map configuration. Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are no workarounds for this vulnerability apart from disabling IKE on the affected device. The "no crypto isakmp enable <interface-name>" command can be used to disable IKE on a specific interface. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. One of the TLS DoS vulnerabilities was reported to Cisco by CERT-FI. All the other vulnerabilities described in this advisory were found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-August-04 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMWYoH86n/Gc8U/uARAg8JAJ0W8ZSUZ0ldj0ncoIfxVKVuVeieygCgkLs4 GGmQ+3yNpX0udKpkA2431fg= =yQWz -----END PGP SIGNATURE-----

Unspecified vulnerability in the Transport Layer Security (TLS) implementation on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.2 before 7.2(5), 8.0 before 8.0(5.15), 8.1 before 8.1(2.44), 8.2 before 8.2(2.17), and 8.3 before 8.3(1.6) and Cisco PIX Security Appliances 500 series devices allows remote attackers to cause a denial of service (device reload) via a sequence of crafted TLS packets, aka Bug ID CSCtf55259. The problem is Bug ID : CSCtf55259 It is a problem.Skillfully crafted by a third party TLS Denial of service through a sequence of packets (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to cause an affected device to crash and reload, denying service to legitimate users. This issue being tracked by Cisco bug ID CSCtf55259. ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: Cisco ASA 5500 Series Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA40842 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40842/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 RELEASE DATE: 2010-08-05 DISCUSS ADVISORY: http://secunia.com/advisories/40842/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40842/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco ASA (Adaptive Security Appliance) 5500 Series, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) Three errors exist in the SunRPC inspection engine while processing certain SunRPC messages. This can be exploited to reload a device via specially crafted UDP SunRPC packets that transit the appliance. 3) An error in the Session Initiation Protocol (SIP) inspection feature can be exploited to trigger an appliance reload via a specially crafted SIP packet that transits the appliance via TCP or UDP port 5060. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: cisco-sa-20100804-asa: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Vulnerable Products +------------------ For specific version information, refer to the Software Versions and Fixes section of this advisory. A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, issue the "show service-policy | include sunrpc" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include sunrpc Inspect: sunrpc, packet 0, drop 0, reset-drop 0 The following configuration commands are used to enable SunRPC inspection in the Cisco ASA. class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, 8.2.x, and 8.3.x are affected by one or more of these vulnerabilities. A Cisco ASA device configured for any of the following features is affected: * Secure Socket Layer Virtual Private Network (SSL VPN) * When the affected device is configured to accept Cisco Adaptive Security Device Manager (ASDM) connections * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access when using HTTPS SSL VPN (or WebVPN) is enabled with the "enable <interface name>" command in "webvpn" configuration mode. SSL VPN is disabled by default. The following configuration snippet provides an example of a SSL VPN configuration. webvpn enable outside ... ASDM access is affected by three of these vulnerabilities. To use ASDM, the HTTPS server must be enabled to allow HTTPS connections to the Cisco ASA. The server can be enabled using the "http server enable [port]" command. The default port is 443. To specify hosts that can access the HTTP server internal to the security appliance, use the "http" command in global configuration mode. The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature was introduced in Cisco ASA version 8.0(2) and is disabled by default. To determine if the TLS Proxy for Encrypted Voice Inspection feature is enabled on the device, use the show tls-proxy command, as shown in the following example: ciscoasa# show tls-proxy Maximum number of sessions: 1200 TLS-Proxy 'sip_proxy': ref_cnt 1, seq# 3 Server proxy: Trust-point: local_ccm Client proxy: Local dynamic certificate issuer: LOCAL-CA-SERVER Local dynamic certificate key-pair: phone_common Cipher suite: aes128-sha1 aes256-sha1 Run-time proxies: Proxy 0xcbae1538: Class-map: sip_ssl, Inspect: sip Active sess 1, most sess 3, byte 3456043 ... <output truncated> TLS proxy supports SIP and Skinny protocols. TLS proxy for Skinny inspection can be enabled using the "inspect skinny <skinny_map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect skinny my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global Note: Secure SCCP uses TCP port 2443; however, it can be configured to a different port. TLS proxy for SIP inspection can be enabled using the "inspect sip <map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect sip my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global The Cisco ASA is also vulnerable when the Cut-Through Proxy for Network Access feature is used with HTTPS. This feature is enabled for direct authentication using HTTPS with the "aaa authentication listener https" command, as shown in the following example: ASA(config)# aaa authentication listener https inside port 443 Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A DoS vulnerability affects the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x are not affected. Versions 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the "show service-policy | include sip" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... ! service-policy global_policy global Note: The service policy could also be applied to a specific interface instead of a global configuration shown in the previous example. IKE is not enabled by default. If IKE is enabled, the "isakmp enable <interface name>" command appears in the configuration. For more information, refer to the End of Life announcement at: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html How to Determine the Running Software Version ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command. Products Confirmed Not Vulnerable +-------------------------------- With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities. It offers firewall, intrusion prevention system (IPS), anti-X, and VPN services. Sun RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services can run on any port. When a client attempts to access a Sun RPC service on a server, it must learn the port that service is running on. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities can be triggered by using UDP packets, not TCP. These vulnerabilities are documented in Cisco bug IDs CSCtc77567, CSCtc79922, and CSCtc85753; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1578, CVE-2010-1579, and CVE-2010-1580, respectively. A Cisco ASA device configured for SSL VPN, TLS Proxy for Encrypted Voice Inspection, or configured to accept ASDM management connections is vulnerable. These vulnerabilities are documented in Cisco bug IDs CSCtd32627, CSCtf37506, and CSCtf55259; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1581, CVE-2010-2814, and CVE-2010-2815, respectively. Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SIP, as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the Cisco ASA can support any SIP VoIP gateways and VoIP proxy servers. To support SIP calls through the Cisco ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses. SIP inspection is enabled by default. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used in conjunction with the IPsec standard. A DoS vulnerability exists in the IKE implementation of the Cisco ASA. Note: Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is configured for IPsec remote access or site-to-site VPNs. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtc77567, CSCtc79922 and CSCtc85753 - SunRPC Inspection DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32627, CSCtf37506, and CSCtf55259- Transport Layer Security (TLS) DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32106 - Session Initiation Protocol (SIP) Inspection DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCte46507 - Crafted Internet Key Exchange (IKE) Message DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities described in this security advisory may cause the affected device to reload. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | SunRPC Inspection DoS Vulnerabilities |---------+----------------| | (CSCtc77567, CSCtc79922, and | 8.0 | 8.0(5.19) | | CSCtc85753) |---------+----------------| | | 8.1 | 8.1(2.46) | | |---------+----------------| | | 8.2 | 8.2(2) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | TLS DoS Vulnerabilities (CSCtd32627, |---------+----------------| | CSCtf37506, and CSCtf55259) | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.17) | | |---------+----------------| | | 8.3 | 8.3(1.6) | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | Not vulnerable | | SIP Inspection DoS Vulnerability |---------+----------------| | (CSCtd32106) | 8.0 | 8.0(5.17) | | |---------+----------------| | | 8.1 | 8.1(2.45) | | |---------+----------------| | | 8.2 | 8.2(2.13) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | 7.0(8.11) | | |---------+----------------| | | | Vulnerable; | | | 7.1 | migrate to | | | | 7.2(5) | | |---------+----------------| | IKE Message DoS Vulnerability | 7.2 | 7.2(5) | | (CSCte46507) |---------+----------------| | | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.10) | | |---------+----------------| | | 8.3 | 8.3(1.1) | +-------------------------------------------------------------------+ Note: Cisco ASA Software versions 7.1.x are affected by some of the vulnerabilities in this advisory. However, no fixed 7.1.x software versions are planned because the 7.1.x major release has reached the End of Software Maintenance Releases milestone. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. +-------------------------------------------------------------------+ | Major Release | Recommended Release | |---------------------+---------------------------------------------| | 7.0 | 7.0(8.11) | |---------------------+---------------------------------------------| | 7.1 | Vulnerable; migrate to 7.2(5) | |---------------------+---------------------------------------------| | 7.2 | 7.2(5) | |---------------------+---------------------------------------------| | 8.0 | 8.0(5.19) | |---------------------+---------------------------------------------| | 8.1 | 8.1(2.47) | |---------------------+---------------------------------------------| | 8.2 | 8.2(2.17) | |---------------------+---------------------------------------------| | 8.3 | 8.3(2) | +-------------------------------------------------------------------+ Software Download ~~~~~~~~~~~~~~~~~ Cisco ASA Software versions 7.0(8.11), 8.0(5.19), 8.1(2.46), and 8.2(2.17) can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT?psrtdcat20e2 Cisco ASA Software versions 7.2(5) and 8.3(2) can be downloaded from: http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=279513386 Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. In addition to the recommendations described below, mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100804-asa.shtml SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These vulnerabilities can be mitigated by disabling SunRPC inspection if it is not required. Administrators can disable SunRPC inspection by issuing the "no inspect sunrpc" command in class configuration sub-mode within policy-map configuration. Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If SSL VPN (clientless or client-based) is not needed, it can be disabled by issuing the "clear configure webvpn" command. Administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the http command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration: hostname(config)# http 192.168.1.100 255.255.255.255 The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature can be disabled if it is not needed. Temporarily disabling the feature will mitigate these vulnerabilities. The Cut-Through Proxy for Network Access feature, when configured for HTTPS, is affected by these vulnerabilities. The only workaround is to disable the feature if not needed. To disable HTTPS Cut-Through Proxy authentication use the "no aaa authentication listener https" command, as shown in the following example: ASA(config)# no aaa authentication listener https inside port 443 Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This vulnerability can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the "no inspect sip" command in class configuration sub-mode within policy-map configuration. Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are no workarounds for this vulnerability apart from disabling IKE on the affected device. The "no crypto isakmp enable <interface-name>" command can be used to disable IKE on a specific interface. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. One of the TLS DoS vulnerabilities was reported to Cisco by CERT-FI. All the other vulnerabilities described in this advisory were found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-August-04 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMWYoH86n/Gc8U/uARAg8JAJ0W8ZSUZ0ldj0ncoIfxVKVuVeieygCgkLs4 GGmQ+3yNpX0udKpkA2431fg= =yQWz -----END PGP SIGNATURE-----

Cross-site scripting (XSS) vulnerability in webacs/QuickSearchAction.do in the search feature in the web interface in Cisco Wireless Control System (WCS) before 6.0(194.0) and 7.x before 7.0.164 allows remote attackers to inject arbitrary web script or HTML via the searchText parameter, aka Bug ID CSCtf14288. The Cisco Wireless Control System is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting this vulnerability could allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and launch other attacks. Cisco Wireless Control System versions 6.0.181.0 and prior are vulnerable. ---------------------------------------------------------------------- Get tweets from Secunia http://twitter.com/secunia ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Cross-Site Scripting Vulnerabilities SECUNIA ADVISORY ID: SA40827 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40827/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40827 RELEASE DATE: 2010-08-06 DISCUSS ADVISORY: http://secunia.com/advisories/40827/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40827/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40827 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Wireless Control System, which can be exploited by malicious people to conduct cross-site scripting attacks. 1) Input passed via the "searchText" parameter to webacs/QuickSearchAction.do is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 3) Certain input passed to searchClientAction.do and switchGeneralAction.do is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. SOLUTION: Update to version 6.0.196.0 or later. PROVIDED AND/OR DISCOVERED BY: 1) Tom Neaves 2, 3) Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7.0.html Tom Neaves: http://www.tomneaves.com/Cisco_Wireless_Control_System_XSS.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the SunRPC inspection feature on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.2 before 7.2(5), 8.0 before 8.0(5.19), 8.1 before 8.1(2.47), and 8.2 before 8.2(2) and Cisco PIX Security Appliances 500 series devices allows remote attackers to cause a denial of service (device reload) via crafted SunRPC UDP packets, aka Bug ID CSCtc77567. plural Cisco Run on product SunRPC The inspection function includes SunRPC UDP Service operation disruption due to incomplete packet processing (DoS) There is a vulnerability that becomes a condition. The problem is Bug ID : CSCtc77567 It is a problem.Skillfully crafted by a third party SunRPC UDP Service disruption via packets (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to cause affected devices to reload, triggering a denial-of-service condition. This issue is tracked by Cisco Bug IDs CSCtc77567 and CSCte61710. ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: Cisco ASA 5500 Series Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA40842 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40842/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 RELEASE DATE: 2010-08-05 DISCUSS ADVISORY: http://secunia.com/advisories/40842/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40842/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco ASA (Adaptive Security Appliance) 5500 Series, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) Three errors exist in the SunRPC inspection engine while processing certain SunRPC messages. This can be exploited to reload a device via specially crafted UDP SunRPC packets that transit the appliance. 3) An error in the Session Initiation Protocol (SIP) inspection feature can be exploited to trigger an appliance reload via a specially crafted SIP packet that transits the appliance via TCP or UDP port 5060. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: cisco-sa-20100804-asa: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Vulnerable Products +------------------ For specific version information, refer to the Software Versions and Fixes section of this advisory. A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, issue the "show service-policy | include sunrpc" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include sunrpc Inspect: sunrpc, packet 0, drop 0, reset-drop 0 The following configuration commands are used to enable SunRPC inspection in the Cisco ASA. class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, 8.2.x, and 8.3.x are affected by one or more of these vulnerabilities. A Cisco ASA device configured for any of the following features is affected: * Secure Socket Layer Virtual Private Network (SSL VPN) * When the affected device is configured to accept Cisco Adaptive Security Device Manager (ASDM) connections * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access when using HTTPS SSL VPN (or WebVPN) is enabled with the "enable <interface name>" command in "webvpn" configuration mode. SSL VPN is disabled by default. The following configuration snippet provides an example of a SSL VPN configuration. webvpn enable outside ... ASDM access is affected by three of these vulnerabilities. To use ASDM, the HTTPS server must be enabled to allow HTTPS connections to the Cisco ASA. The server can be enabled using the "http server enable [port]" command. The default port is 443. To specify hosts that can access the HTTP server internal to the security appliance, use the "http" command in global configuration mode. The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature was introduced in Cisco ASA version 8.0(2) and is disabled by default. To determine if the TLS Proxy for Encrypted Voice Inspection feature is enabled on the device, use the show tls-proxy command, as shown in the following example: ciscoasa# show tls-proxy Maximum number of sessions: 1200 TLS-Proxy 'sip_proxy': ref_cnt 1, seq# 3 Server proxy: Trust-point: local_ccm Client proxy: Local dynamic certificate issuer: LOCAL-CA-SERVER Local dynamic certificate key-pair: phone_common Cipher suite: aes128-sha1 aes256-sha1 Run-time proxies: Proxy 0xcbae1538: Class-map: sip_ssl, Inspect: sip Active sess 1, most sess 3, byte 3456043 ... <output truncated> TLS proxy supports SIP and Skinny protocols. TLS proxy for Skinny inspection can be enabled using the "inspect skinny <skinny_map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect skinny my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global Note: Secure SCCP uses TCP port 2443; however, it can be configured to a different port. TLS proxy for SIP inspection can be enabled using the "inspect sip <map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect sip my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global The Cisco ASA is also vulnerable when the Cut-Through Proxy for Network Access feature is used with HTTPS. This feature is enabled for direct authentication using HTTPS with the "aaa authentication listener https" command, as shown in the following example: ASA(config)# aaa authentication listener https inside port 443 Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A DoS vulnerability affects the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x are not affected. Versions 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the "show service-policy | include sip" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... ! service-policy global_policy global Note: The service policy could also be applied to a specific interface instead of a global configuration shown in the previous example. IKE is not enabled by default. If IKE is enabled, the "isakmp enable <interface name>" command appears in the configuration. For more information, refer to the End of Life announcement at: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html How to Determine the Running Software Version ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.3(1): ASA#show version | include Version Cisco Adaptive Security Appliance Software Version 8.3(1) Device Manager Version 6.3(1) Customers who use Cisco ASDM to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. Products Confirmed Not Vulnerable +-------------------------------- With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities. It offers firewall, intrusion prevention system (IPS), anti-X, and VPN services. Sun RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services can run on any port. When a client attempts to access a Sun RPC service on a server, it must learn the port that service is running on. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities can be triggered by using UDP packets, not TCP. Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet. A Cisco ASA device configured for SSL VPN, TLS Proxy for Encrypted Voice Inspection, or configured to accept ASDM management connections is vulnerable. Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SIP, as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the Cisco ASA can support any SIP VoIP gateways and VoIP proxy servers. To support SIP calls through the Cisco ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses. SIP inspection is enabled by default. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. This vulnerability is documented in Cisco bug ID CSCtd32106 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2816. Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used in conjunction with the IPsec standard. A DoS vulnerability exists in the IKE implementation of the Cisco ASA. Note: Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is configured for IPsec remote access or site-to-site VPNs. This vulnerability is documented in Cisco bug ID CSCte46507 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2817. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtc77567, CSCtc79922 and CSCtc85753 - SunRPC Inspection DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32627, CSCtf37506, and CSCtf55259- Transport Layer Security (TLS) DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32106 - Session Initiation Protocol (SIP) Inspection DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCte46507 - Crafted Internet Key Exchange (IKE) Message DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities described in this security advisory may cause the affected device to reload. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | SunRPC Inspection DoS Vulnerabilities |---------+----------------| | (CSCtc77567, CSCtc79922, and | 8.0 | 8.0(5.19) | | CSCtc85753) |---------+----------------| | | 8.1 | 8.1(2.46) | | |---------+----------------| | | 8.2 | 8.2(2) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | TLS DoS Vulnerabilities (CSCtd32627, |---------+----------------| | CSCtf37506, and CSCtf55259) | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.17) | | |---------+----------------| | | 8.3 | 8.3(1.6) | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | Not vulnerable | | SIP Inspection DoS Vulnerability |---------+----------------| | (CSCtd32106) | 8.0 | 8.0(5.17) | | |---------+----------------| | | 8.1 | 8.1(2.45) | | |---------+----------------| | | 8.2 | 8.2(2.13) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | 7.0(8.11) | | |---------+----------------| | | | Vulnerable; | | | 7.1 | migrate to | | | | 7.2(5) | | |---------+----------------| | IKE Message DoS Vulnerability | 7.2 | 7.2(5) | | (CSCte46507) |---------+----------------| | | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.10) | | |---------+----------------| | | 8.3 | 8.3(1.1) | +-------------------------------------------------------------------+ Note: Cisco ASA Software versions 7.1.x are affected by some of the vulnerabilities in this advisory. However, no fixed 7.1.x software versions are planned because the 7.1.x major release has reached the End of Software Maintenance Releases milestone. Refer to the EOL/EOS for the Cisco ASA 5500 Series Adaptive Security Appliance Software v7.1 notice for further information: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/end_of_life_notice_cisco_asa_5500_series_adaptive_sec_app_sw.html Recommended Releases ~~~~~~~~~~~~~~~~~~~~ The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. +-------------------------------------------------------------------+ | Major Release | Recommended Release | |---------------------+---------------------------------------------| | 7.0 | 7.0(8.11) | |---------------------+---------------------------------------------| | 7.1 | Vulnerable; migrate to 7.2(5) | |---------------------+---------------------------------------------| | 7.2 | 7.2(5) | |---------------------+---------------------------------------------| | 8.0 | 8.0(5.19) | |---------------------+---------------------------------------------| | 8.1 | 8.1(2.47) | |---------------------+---------------------------------------------| | 8.2 | 8.2(2.17) | |---------------------+---------------------------------------------| | 8.3 | 8.3(2) | +-------------------------------------------------------------------+ Software Download ~~~~~~~~~~~~~~~~~ Cisco ASA Software versions 7.0(8.11), 8.0(5.19), 8.1(2.46), and 8.2(2.17) can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT?psrtdcat20e2 Cisco ASA Software versions 7.2(5) and 8.3(2) can be downloaded from: http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=279513386 Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. In addition to the recommendations described below, mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100804-asa.shtml SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These vulnerabilities can be mitigated by disabling SunRPC inspection if it is not required. Administrators can disable SunRPC inspection by issuing the "no inspect sunrpc" command in class configuration sub-mode within policy-map configuration. Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If SSL VPN (clientless or client-based) is not needed, it can be disabled by issuing the "clear configure webvpn" command. Administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the http command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration: hostname(config)# http 192.168.1.100 255.255.255.255 The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature can be disabled if it is not needed. Temporarily disabling the feature will mitigate these vulnerabilities. The Cut-Through Proxy for Network Access feature, when configured for HTTPS, is affected by these vulnerabilities. The only workaround is to disable the feature if not needed. To disable HTTPS Cut-Through Proxy authentication use the "no aaa authentication listener https" command, as shown in the following example: ASA(config)# no aaa authentication listener https inside port 443 Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This vulnerability can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the "no inspect sip" command in class configuration sub-mode within policy-map configuration. Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are no workarounds for this vulnerability apart from disabling IKE on the affected device. The "no crypto isakmp enable <interface-name>" command can be used to disable IKE on a specific interface. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. One of the TLS DoS vulnerabilities was reported to Cisco by CERT-FI. All the other vulnerabilities described in this advisory were found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-August-04 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMWYoH86n/Gc8U/uARAg8JAJ0W8ZSUZ0ldj0ncoIfxVKVuVeieygCgkLs4 GGmQ+3yNpX0udKpkA2431fg= =yQWz -----END PGP SIGNATURE-----

Unspecified vulnerability in the SunRPC inspection feature on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.2 before 7.2(5), 8.0 before 8.0(5.19), 8.1 before 8.1(2.47), and 8.2 before 8.2(2) and Cisco PIX Security Appliances 500 series devices allows remote attackers to cause a denial of service (device reload) via crafted SunRPC UDP packets, aka Bug ID CSCtc79922. plural Cisco Run on product SunRPC The inspection function includes SunRPC UDP Service operation disruption due to incomplete packet processing (DoS) There is a vulnerability that becomes a condition. The problem is Bug ID : CSCtc79922 It is a problem.Skillfully crafted by a third party SunRPC UDP Service disruption via packets (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to cause affected devices to reload, triggering a denial-of-service condition. This issue is tracked by Cisco Bug IDs CSCtc79922 and CSCte61622. ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: Cisco ASA 5500 Series Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA40842 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40842/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 RELEASE DATE: 2010-08-05 DISCUSS ADVISORY: http://secunia.com/advisories/40842/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40842/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco ASA (Adaptive Security Appliance) 5500 Series, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) Three errors exist in the SunRPC inspection engine while processing certain SunRPC messages. This can be exploited to reload a device via specially crafted UDP SunRPC packets that transit the appliance. 3) An error in the Session Initiation Protocol (SIP) inspection feature can be exploited to trigger an appliance reload via a specially crafted SIP packet that transits the appliance via TCP or UDP port 5060. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: cisco-sa-20100804-asa: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Vulnerable Products +------------------ For specific version information, refer to the Software Versions and Fixes section of this advisory. A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, issue the "show service-policy | include sunrpc" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include sunrpc Inspect: sunrpc, packet 0, drop 0, reset-drop 0 The following configuration commands are used to enable SunRPC inspection in the Cisco ASA. class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, 8.2.x, and 8.3.x are affected by one or more of these vulnerabilities. A Cisco ASA device configured for any of the following features is affected: * Secure Socket Layer Virtual Private Network (SSL VPN) * When the affected device is configured to accept Cisco Adaptive Security Device Manager (ASDM) connections * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access when using HTTPS SSL VPN (or WebVPN) is enabled with the "enable <interface name>" command in "webvpn" configuration mode. SSL VPN is disabled by default. The following configuration snippet provides an example of a SSL VPN configuration. webvpn enable outside ... ASDM access is affected by three of these vulnerabilities. To use ASDM, the HTTPS server must be enabled to allow HTTPS connections to the Cisco ASA. The server can be enabled using the "http server enable [port]" command. The default port is 443. To specify hosts that can access the HTTP server internal to the security appliance, use the "http" command in global configuration mode. The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature was introduced in Cisco ASA version 8.0(2) and is disabled by default. To determine if the TLS Proxy for Encrypted Voice Inspection feature is enabled on the device, use the show tls-proxy command, as shown in the following example: ciscoasa# show tls-proxy Maximum number of sessions: 1200 TLS-Proxy 'sip_proxy': ref_cnt 1, seq# 3 Server proxy: Trust-point: local_ccm Client proxy: Local dynamic certificate issuer: LOCAL-CA-SERVER Local dynamic certificate key-pair: phone_common Cipher suite: aes128-sha1 aes256-sha1 Run-time proxies: Proxy 0xcbae1538: Class-map: sip_ssl, Inspect: sip Active sess 1, most sess 3, byte 3456043 ... <output truncated> TLS proxy supports SIP and Skinny protocols. TLS proxy for Skinny inspection can be enabled using the "inspect skinny <skinny_map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect skinny my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global Note: Secure SCCP uses TCP port 2443; however, it can be configured to a different port. TLS proxy for SIP inspection can be enabled using the "inspect sip <map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect sip my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global The Cisco ASA is also vulnerable when the Cut-Through Proxy for Network Access feature is used with HTTPS. This feature is enabled for direct authentication using HTTPS with the "aaa authentication listener https" command, as shown in the following example: ASA(config)# aaa authentication listener https inside port 443 Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A DoS vulnerability affects the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x are not affected. Versions 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the "show service-policy | include sip" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... ! service-policy global_policy global Note: The service policy could also be applied to a specific interface instead of a global configuration shown in the previous example. IKE is not enabled by default. If IKE is enabled, the "isakmp enable <interface name>" command appears in the configuration. For more information, refer to the End of Life announcement at: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html How to Determine the Running Software Version ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.3(1): ASA#show version | include Version Cisco Adaptive Security Appliance Software Version 8.3(1) Device Manager Version 6.3(1) Customers who use Cisco ASDM to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. Products Confirmed Not Vulnerable +-------------------------------- With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities. It offers firewall, intrusion prevention system (IPS), anti-X, and VPN services. Sun RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services can run on any port. When a client attempts to access a Sun RPC service on a server, it must learn the port that service is running on. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities can be triggered by using UDP packets, not TCP. Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet. A Cisco ASA device configured for SSL VPN, TLS Proxy for Encrypted Voice Inspection, or configured to accept ASDM management connections is vulnerable. Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SIP, as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the Cisco ASA can support any SIP VoIP gateways and VoIP proxy servers. To support SIP calls through the Cisco ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses. SIP inspection is enabled by default. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. This vulnerability is documented in Cisco bug ID CSCtd32106 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2816. Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used in conjunction with the IPsec standard. A DoS vulnerability exists in the IKE implementation of the Cisco ASA. Note: Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is configured for IPsec remote access or site-to-site VPNs. This vulnerability is documented in Cisco bug ID CSCte46507 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2817. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtc77567, CSCtc79922 and CSCtc85753 - SunRPC Inspection DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32627, CSCtf37506, and CSCtf55259- Transport Layer Security (TLS) DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32106 - Session Initiation Protocol (SIP) Inspection DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCte46507 - Crafted Internet Key Exchange (IKE) Message DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities described in this security advisory may cause the affected device to reload. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | SunRPC Inspection DoS Vulnerabilities |---------+----------------| | (CSCtc77567, CSCtc79922, and | 8.0 | 8.0(5.19) | | CSCtc85753) |---------+----------------| | | 8.1 | 8.1(2.46) | | |---------+----------------| | | 8.2 | 8.2(2) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | TLS DoS Vulnerabilities (CSCtd32627, |---------+----------------| | CSCtf37506, and CSCtf55259) | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.17) | | |---------+----------------| | | 8.3 | 8.3(1.6) | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | Not vulnerable | | SIP Inspection DoS Vulnerability |---------+----------------| | (CSCtd32106) | 8.0 | 8.0(5.17) | | |---------+----------------| | | 8.1 | 8.1(2.45) | | |---------+----------------| | | 8.2 | 8.2(2.13) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | 7.0(8.11) | | |---------+----------------| | | | Vulnerable; | | | 7.1 | migrate to | | | | 7.2(5) | | |---------+----------------| | IKE Message DoS Vulnerability | 7.2 | 7.2(5) | | (CSCte46507) |---------+----------------| | | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.10) | | |---------+----------------| | | 8.3 | 8.3(1.1) | +-------------------------------------------------------------------+ Note: Cisco ASA Software versions 7.1.x are affected by some of the vulnerabilities in this advisory. However, no fixed 7.1.x software versions are planned because the 7.1.x major release has reached the End of Software Maintenance Releases milestone. Refer to the EOL/EOS for the Cisco ASA 5500 Series Adaptive Security Appliance Software v7.1 notice for further information: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/end_of_life_notice_cisco_asa_5500_series_adaptive_sec_app_sw.html Recommended Releases ~~~~~~~~~~~~~~~~~~~~ The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. +-------------------------------------------------------------------+ | Major Release | Recommended Release | |---------------------+---------------------------------------------| | 7.0 | 7.0(8.11) | |---------------------+---------------------------------------------| | 7.1 | Vulnerable; migrate to 7.2(5) | |---------------------+---------------------------------------------| | 7.2 | 7.2(5) | |---------------------+---------------------------------------------| | 8.0 | 8.0(5.19) | |---------------------+---------------------------------------------| | 8.1 | 8.1(2.47) | |---------------------+---------------------------------------------| | 8.2 | 8.2(2.17) | |---------------------+---------------------------------------------| | 8.3 | 8.3(2) | +-------------------------------------------------------------------+ Software Download ~~~~~~~~~~~~~~~~~ Cisco ASA Software versions 7.0(8.11), 8.0(5.19), 8.1(2.46), and 8.2(2.17) can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT?psrtdcat20e2 Cisco ASA Software versions 7.2(5) and 8.3(2) can be downloaded from: http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=279513386 Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. In addition to the recommendations described below, mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100804-asa.shtml SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These vulnerabilities can be mitigated by disabling SunRPC inspection if it is not required. Administrators can disable SunRPC inspection by issuing the "no inspect sunrpc" command in class configuration sub-mode within policy-map configuration. Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If SSL VPN (clientless or client-based) is not needed, it can be disabled by issuing the "clear configure webvpn" command. Administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the http command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration: hostname(config)# http 192.168.1.100 255.255.255.255 The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature can be disabled if it is not needed. Temporarily disabling the feature will mitigate these vulnerabilities. The Cut-Through Proxy for Network Access feature, when configured for HTTPS, is affected by these vulnerabilities. The only workaround is to disable the feature if not needed. To disable HTTPS Cut-Through Proxy authentication use the "no aaa authentication listener https" command, as shown in the following example: ASA(config)# no aaa authentication listener https inside port 443 Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This vulnerability can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the "no inspect sip" command in class configuration sub-mode within policy-map configuration. Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are no workarounds for this vulnerability apart from disabling IKE on the affected device. The "no crypto isakmp enable <interface-name>" command can be used to disable IKE on a specific interface. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. One of the TLS DoS vulnerabilities was reported to Cisco by CERT-FI. All the other vulnerabilities described in this advisory were found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-August-04 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMWYoH86n/Gc8U/uARAg8JAJ0W8ZSUZ0ldj0ncoIfxVKVuVeieygCgkLs4 GGmQ+3yNpX0udKpkA2431fg= =yQWz -----END PGP SIGNATURE-----

Unspecified vulnerability in the SunRPC inspection feature on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.2 before 7.2(5), 8.0 before 8.0(5.19), 8.1 before 8.1(2.47), and 8.2 before 8.2(2) and Cisco PIX Security Appliances 500 series devices allows remote attackers to cause a denial of service (device reload) via crafted SunRPC UDP packets, aka Bug ID CSCtc85753. plural Cisco Run on product SunRPC The inspection function includes SunRPC UDP Service operation disruption due to incomplete packet processing (DoS) There is a vulnerability that becomes a condition. The problem is Bug ID : CSCtc85753 It is a problem.Skillfully crafted by a third party SunRPC UDP Service disruption via packets (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to cause affected devices to reload, triggering a denial-of-service condition. This issue is tracked by Cisco Bug IDs CSCtc85753 and CSCte61662. ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: Cisco ASA 5500 Series Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA40842 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40842/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 RELEASE DATE: 2010-08-05 DISCUSS ADVISORY: http://secunia.com/advisories/40842/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40842/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco ASA (Adaptive Security Appliance) 5500 Series, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) Three errors exist in the SunRPC inspection engine while processing certain SunRPC messages. This can be exploited to reload a device via specially crafted UDP SunRPC packets that transit the appliance. 3) An error in the Session Initiation Protocol (SIP) inspection feature can be exploited to trigger an appliance reload via a specially crafted SIP packet that transits the appliance via TCP or UDP port 5060. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: cisco-sa-20100804-asa: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Vulnerable Products +------------------ For specific version information, refer to the Software Versions and Fixes section of this advisory. A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, issue the "show service-policy | include sunrpc" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include sunrpc Inspect: sunrpc, packet 0, drop 0, reset-drop 0 The following configuration commands are used to enable SunRPC inspection in the Cisco ASA. class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, 8.2.x, and 8.3.x are affected by one or more of these vulnerabilities. A Cisco ASA device configured for any of the following features is affected: * Secure Socket Layer Virtual Private Network (SSL VPN) * When the affected device is configured to accept Cisco Adaptive Security Device Manager (ASDM) connections * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access when using HTTPS SSL VPN (or WebVPN) is enabled with the "enable <interface name>" command in "webvpn" configuration mode. SSL VPN is disabled by default. The following configuration snippet provides an example of a SSL VPN configuration. webvpn enable outside ... ASDM access is affected by three of these vulnerabilities. To use ASDM, the HTTPS server must be enabled to allow HTTPS connections to the Cisco ASA. The server can be enabled using the "http server enable [port]" command. The default port is 443. To specify hosts that can access the HTTP server internal to the security appliance, use the "http" command in global configuration mode. The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature was introduced in Cisco ASA version 8.0(2) and is disabled by default. To determine if the TLS Proxy for Encrypted Voice Inspection feature is enabled on the device, use the show tls-proxy command, as shown in the following example: ciscoasa# show tls-proxy Maximum number of sessions: 1200 TLS-Proxy 'sip_proxy': ref_cnt 1, seq# 3 Server proxy: Trust-point: local_ccm Client proxy: Local dynamic certificate issuer: LOCAL-CA-SERVER Local dynamic certificate key-pair: phone_common Cipher suite: aes128-sha1 aes256-sha1 Run-time proxies: Proxy 0xcbae1538: Class-map: sip_ssl, Inspect: sip Active sess 1, most sess 3, byte 3456043 ... <output truncated> TLS proxy supports SIP and Skinny protocols. TLS proxy for Skinny inspection can be enabled using the "inspect skinny <skinny_map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect skinny my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global Note: Secure SCCP uses TCP port 2443; however, it can be configured to a different port. TLS proxy for SIP inspection can be enabled using the "inspect sip <map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect sip my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global The Cisco ASA is also vulnerable when the Cut-Through Proxy for Network Access feature is used with HTTPS. This feature is enabled for direct authentication using HTTPS with the "aaa authentication listener https" command, as shown in the following example: ASA(config)# aaa authentication listener https inside port 443 Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A DoS vulnerability affects the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x are not affected. Versions 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the "show service-policy | include sip" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... ! service-policy global_policy global Note: The service policy could also be applied to a specific interface instead of a global configuration shown in the previous example. IKE is not enabled by default. If IKE is enabled, the "isakmp enable <interface name>" command appears in the configuration. For more information, refer to the End of Life announcement at: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html How to Determine the Running Software Version ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.3(1): ASA#show version | include Version Cisco Adaptive Security Appliance Software Version 8.3(1) Device Manager Version 6.3(1) Customers who use Cisco ASDM to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. Products Confirmed Not Vulnerable +-------------------------------- With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities. It offers firewall, intrusion prevention system (IPS), anti-X, and VPN services. Sun RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services can run on any port. When a client attempts to access a Sun RPC service on a server, it must learn the port that service is running on. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities can be triggered by using UDP packets, not TCP. Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet. A Cisco ASA device configured for SSL VPN, TLS Proxy for Encrypted Voice Inspection, or configured to accept ASDM management connections is vulnerable. Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SIP, as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the Cisco ASA can support any SIP VoIP gateways and VoIP proxy servers. To support SIP calls through the Cisco ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses. SIP inspection is enabled by default. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. This vulnerability is documented in Cisco bug ID CSCtd32106 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2816. Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used in conjunction with the IPsec standard. A DoS vulnerability exists in the IKE implementation of the Cisco ASA. Note: Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is configured for IPsec remote access or site-to-site VPNs. This vulnerability is documented in Cisco bug ID CSCte46507 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2817. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtc77567, CSCtc79922 and CSCtc85753 - SunRPC Inspection DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32627, CSCtf37506, and CSCtf55259- Transport Layer Security (TLS) DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32106 - Session Initiation Protocol (SIP) Inspection DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCte46507 - Crafted Internet Key Exchange (IKE) Message DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities described in this security advisory may cause the affected device to reload. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | SunRPC Inspection DoS Vulnerabilities |---------+----------------| | (CSCtc77567, CSCtc79922, and | 8.0 | 8.0(5.19) | | CSCtc85753) |---------+----------------| | | 8.1 | 8.1(2.46) | | |---------+----------------| | | 8.2 | 8.2(2) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | TLS DoS Vulnerabilities (CSCtd32627, |---------+----------------| | CSCtf37506, and CSCtf55259) | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.17) | | |---------+----------------| | | 8.3 | 8.3(1.6) | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | Not vulnerable | | SIP Inspection DoS Vulnerability |---------+----------------| | (CSCtd32106) | 8.0 | 8.0(5.17) | | |---------+----------------| | | 8.1 | 8.1(2.45) | | |---------+----------------| | | 8.2 | 8.2(2.13) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | 7.0(8.11) | | |---------+----------------| | | | Vulnerable; | | | 7.1 | migrate to | | | | 7.2(5) | | |---------+----------------| | IKE Message DoS Vulnerability | 7.2 | 7.2(5) | | (CSCte46507) |---------+----------------| | | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.10) | | |---------+----------------| | | 8.3 | 8.3(1.1) | +-------------------------------------------------------------------+ Note: Cisco ASA Software versions 7.1.x are affected by some of the vulnerabilities in this advisory. However, no fixed 7.1.x software versions are planned because the 7.1.x major release has reached the End of Software Maintenance Releases milestone. Refer to the EOL/EOS for the Cisco ASA 5500 Series Adaptive Security Appliance Software v7.1 notice for further information: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/end_of_life_notice_cisco_asa_5500_series_adaptive_sec_app_sw.html Recommended Releases ~~~~~~~~~~~~~~~~~~~~ The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. +-------------------------------------------------------------------+ | Major Release | Recommended Release | |---------------------+---------------------------------------------| | 7.0 | 7.0(8.11) | |---------------------+---------------------------------------------| | 7.1 | Vulnerable; migrate to 7.2(5) | |---------------------+---------------------------------------------| | 7.2 | 7.2(5) | |---------------------+---------------------------------------------| | 8.0 | 8.0(5.19) | |---------------------+---------------------------------------------| | 8.1 | 8.1(2.47) | |---------------------+---------------------------------------------| | 8.2 | 8.2(2.17) | |---------------------+---------------------------------------------| | 8.3 | 8.3(2) | +-------------------------------------------------------------------+ Software Download ~~~~~~~~~~~~~~~~~ Cisco ASA Software versions 7.0(8.11), 8.0(5.19), 8.1(2.46), and 8.2(2.17) can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT?psrtdcat20e2 Cisco ASA Software versions 7.2(5) and 8.3(2) can be downloaded from: http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=279513386 Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. In addition to the recommendations described below, mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100804-asa.shtml SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These vulnerabilities can be mitigated by disabling SunRPC inspection if it is not required. Administrators can disable SunRPC inspection by issuing the "no inspect sunrpc" command in class configuration sub-mode within policy-map configuration. Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If SSL VPN (clientless or client-based) is not needed, it can be disabled by issuing the "clear configure webvpn" command. Administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the http command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration: hostname(config)# http 192.168.1.100 255.255.255.255 The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature can be disabled if it is not needed. Temporarily disabling the feature will mitigate these vulnerabilities. The Cut-Through Proxy for Network Access feature, when configured for HTTPS, is affected by these vulnerabilities. The only workaround is to disable the feature if not needed. To disable HTTPS Cut-Through Proxy authentication use the "no aaa authentication listener https" command, as shown in the following example: ASA(config)# no aaa authentication listener https inside port 443 Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This vulnerability can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the "no inspect sip" command in class configuration sub-mode within policy-map configuration. Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are no workarounds for this vulnerability apart from disabling IKE on the affected device. The "no crypto isakmp enable <interface-name>" command can be used to disable IKE on a specific interface. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. One of the TLS DoS vulnerabilities was reported to Cisco by CERT-FI. All the other vulnerabilities described in this advisory were found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-August-04 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMWYoH86n/Gc8U/uARAg8JAJ0W8ZSUZ0ldj0ncoIfxVKVuVeieygCgkLs4 GGmQ+3yNpX0udKpkA2431fg= =yQWz -----END PGP SIGNATURE-----

Unspecified vulnerability in the Transport Layer Security (TLS) implementation on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.2 before 7.2(5), 8.0 before 8.0(5.15), 8.1 before 8.1(2.44), 8.2 before 8.2(2.17), and 8.3 before 8.3(1.6) and Cisco PIX Security Appliances 500 series devices allows remote attackers to cause a denial of service (device reload) via a sequence of crafted TLS packets, aka Bug ID CSCtd32627. The problem is Bug ID : CSCtd32627 Problem.Expertly crafted by a third party TLS Denial of service via sequence of packets (DoS) May be in a state. An attacker can exploit this issue to cause an affected device to crash and reload, denying service to legitimate users. This issue being tracked by Cisco bug ID CSCtd32627. ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: Cisco ASA 5500 Series Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA40842 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40842/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 RELEASE DATE: 2010-08-05 DISCUSS ADVISORY: http://secunia.com/advisories/40842/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40842/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco ASA (Adaptive Security Appliance) 5500 Series, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) Three errors exist in the SunRPC inspection engine while processing certain SunRPC messages. This can be exploited to reload a device via specially crafted UDP SunRPC packets that transit the appliance. 3) An error in the Session Initiation Protocol (SIP) inspection feature can be exploited to trigger an appliance reload via a specially crafted SIP packet that transits the appliance via TCP or UDP port 5060. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: cisco-sa-20100804-asa: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Vulnerable Products +------------------ For specific version information, refer to the Software Versions and Fixes section of this advisory. A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, issue the "show service-policy | include sunrpc" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include sunrpc Inspect: sunrpc, packet 0, drop 0, reset-drop 0 The following configuration commands are used to enable SunRPC inspection in the Cisco ASA. class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, 8.2.x, and 8.3.x are affected by one or more of these vulnerabilities. A Cisco ASA device configured for any of the following features is affected: * Secure Socket Layer Virtual Private Network (SSL VPN) * When the affected device is configured to accept Cisco Adaptive Security Device Manager (ASDM) connections * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access when using HTTPS SSL VPN (or WebVPN) is enabled with the "enable <interface name>" command in "webvpn" configuration mode. SSL VPN is disabled by default. The following configuration snippet provides an example of a SSL VPN configuration. webvpn enable outside ... ASDM access is affected by three of these vulnerabilities. To use ASDM, the HTTPS server must be enabled to allow HTTPS connections to the Cisco ASA. The server can be enabled using the "http server enable [port]" command. The default port is 443. To specify hosts that can access the HTTP server internal to the security appliance, use the "http" command in global configuration mode. The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature was introduced in Cisco ASA version 8.0(2) and is disabled by default. To determine if the TLS Proxy for Encrypted Voice Inspection feature is enabled on the device, use the show tls-proxy command, as shown in the following example: ciscoasa# show tls-proxy Maximum number of sessions: 1200 TLS-Proxy 'sip_proxy': ref_cnt 1, seq# 3 Server proxy: Trust-point: local_ccm Client proxy: Local dynamic certificate issuer: LOCAL-CA-SERVER Local dynamic certificate key-pair: phone_common Cipher suite: aes128-sha1 aes256-sha1 Run-time proxies: Proxy 0xcbae1538: Class-map: sip_ssl, Inspect: sip Active sess 1, most sess 3, byte 3456043 ... <output truncated> TLS proxy supports SIP and Skinny protocols. TLS proxy for Skinny inspection can be enabled using the "inspect skinny <skinny_map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect skinny my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global Note: Secure SCCP uses TCP port 2443; however, it can be configured to a different port. TLS proxy for SIP inspection can be enabled using the "inspect sip <map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect sip my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global The Cisco ASA is also vulnerable when the Cut-Through Proxy for Network Access feature is used with HTTPS. This feature is enabled for direct authentication using HTTPS with the "aaa authentication listener https" command, as shown in the following example: ASA(config)# aaa authentication listener https inside port 443 Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A DoS vulnerability affects the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x are not affected. Versions 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the "show service-policy | include sip" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... ! service-policy global_policy global Note: The service policy could also be applied to a specific interface instead of a global configuration shown in the previous example. IKE is not enabled by default. If IKE is enabled, the "isakmp enable <interface name>" command appears in the configuration. For more information, refer to the End of Life announcement at: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html How to Determine the Running Software Version ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.3(1): ASA#show version | include Version Cisco Adaptive Security Appliance Software Version 8.3(1) Device Manager Version 6.3(1) Customers who use Cisco ASDM to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. Products Confirmed Not Vulnerable +-------------------------------- With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities. It offers firewall, intrusion prevention system (IPS), anti-X, and VPN services. Sun RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services can run on any port. When a client attempts to access a Sun RPC service on a server, it must learn the port that service is running on. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities can be triggered by using UDP packets, not TCP. These vulnerabilities are documented in Cisco bug IDs CSCtc77567, CSCtc79922, and CSCtc85753; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1578, CVE-2010-1579, and CVE-2010-1580, respectively. A Cisco ASA device configured for SSL VPN, TLS Proxy for Encrypted Voice Inspection, or configured to accept ASDM management connections is vulnerable. These vulnerabilities are documented in Cisco bug IDs CSCtd32627, CSCtf37506, and CSCtf55259; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1581, CVE-2010-2814, and CVE-2010-2815, respectively. Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SIP, as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the Cisco ASA can support any SIP VoIP gateways and VoIP proxy servers. To support SIP calls through the Cisco ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses. SIP inspection is enabled by default. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used in conjunction with the IPsec standard. A DoS vulnerability exists in the IKE implementation of the Cisco ASA. Note: Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is configured for IPsec remote access or site-to-site VPNs. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtc77567, CSCtc79922 and CSCtc85753 - SunRPC Inspection DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32627, CSCtf37506, and CSCtf55259- Transport Layer Security (TLS) DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32106 - Session Initiation Protocol (SIP) Inspection DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCte46507 - Crafted Internet Key Exchange (IKE) Message DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities described in this security advisory may cause the affected device to reload. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | SunRPC Inspection DoS Vulnerabilities |---------+----------------| | (CSCtc77567, CSCtc79922, and | 8.0 | 8.0(5.19) | | CSCtc85753) |---------+----------------| | | 8.1 | 8.1(2.46) | | |---------+----------------| | | 8.2 | 8.2(2) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | TLS DoS Vulnerabilities (CSCtd32627, |---------+----------------| | CSCtf37506, and CSCtf55259) | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.17) | | |---------+----------------| | | 8.3 | 8.3(1.6) | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | Not vulnerable | | SIP Inspection DoS Vulnerability |---------+----------------| | (CSCtd32106) | 8.0 | 8.0(5.17) | | |---------+----------------| | | 8.1 | 8.1(2.45) | | |---------+----------------| | | 8.2 | 8.2(2.13) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | 7.0(8.11) | | |---------+----------------| | | | Vulnerable; | | | 7.1 | migrate to | | | | 7.2(5) | | |---------+----------------| | IKE Message DoS Vulnerability | 7.2 | 7.2(5) | | (CSCte46507) |---------+----------------| | | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.10) | | |---------+----------------| | | 8.3 | 8.3(1.1) | +-------------------------------------------------------------------+ Note: Cisco ASA Software versions 7.1.x are affected by some of the vulnerabilities in this advisory. However, no fixed 7.1.x software versions are planned because the 7.1.x major release has reached the End of Software Maintenance Releases milestone. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. +-------------------------------------------------------------------+ | Major Release | Recommended Release | |---------------------+---------------------------------------------| | 7.0 | 7.0(8.11) | |---------------------+---------------------------------------------| | 7.1 | Vulnerable; migrate to 7.2(5) | |---------------------+---------------------------------------------| | 7.2 | 7.2(5) | |---------------------+---------------------------------------------| | 8.0 | 8.0(5.19) | |---------------------+---------------------------------------------| | 8.1 | 8.1(2.47) | |---------------------+---------------------------------------------| | 8.2 | 8.2(2.17) | |---------------------+---------------------------------------------| | 8.3 | 8.3(2) | +-------------------------------------------------------------------+ Software Download ~~~~~~~~~~~~~~~~~ Cisco ASA Software versions 7.0(8.11), 8.0(5.19), 8.1(2.46), and 8.2(2.17) can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT?psrtdcat20e2 Cisco ASA Software versions 7.2(5) and 8.3(2) can be downloaded from: http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=279513386 Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. In addition to the recommendations described below, mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100804-asa.shtml SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These vulnerabilities can be mitigated by disabling SunRPC inspection if it is not required. Administrators can disable SunRPC inspection by issuing the "no inspect sunrpc" command in class configuration sub-mode within policy-map configuration. Administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the http command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration: hostname(config)# http 192.168.1.100 255.255.255.255 The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature can be disabled if it is not needed. Temporarily disabling the feature will mitigate these vulnerabilities. The Cut-Through Proxy for Network Access feature, when configured for HTTPS, is affected by these vulnerabilities. The only workaround is to disable the feature if not needed. To disable HTTPS Cut-Through Proxy authentication use the "no aaa authentication listener https" command, as shown in the following example: ASA(config)# no aaa authentication listener https inside port 443 Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This vulnerability can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the "no inspect sip" command in class configuration sub-mode within policy-map configuration. Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are no workarounds for this vulnerability apart from disabling IKE on the affected device. The "no crypto isakmp enable <interface-name>" command can be used to disable IKE on a specific interface. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. One of the TLS DoS vulnerabilities was reported to Cisco by CERT-FI. All the other vulnerabilities described in this advisory were found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-August-04 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMWYoH86n/Gc8U/uARAg8JAJ0W8ZSUZ0ldj0ncoIfxVKVuVeieygCgkLs4 GGmQ+3yNpX0udKpkA2431fg= =yQWz -----END PGP SIGNATURE-----

Unspecified vulnerability in the SIP inspection feature on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.0 before 8.0(5.17), 8.1 before 8.1(2.45), and 8.2 before 8.2(2.13) allows remote attackers to cause a denial of service (device reload) via crafted SIP packets, aka Bug ID CSCtd32106. The problem is Bug ID : CSCtd32106 It is a problem.Skillfully crafted by a third party SIP Service disruption via packets (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to cause a vulnerable device to reload, triggering a denial-of-service condition. This issue is tracked by Cisco Bug ID CSCtd32106. ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: Cisco ASA 5500 Series Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA40842 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40842/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 RELEASE DATE: 2010-08-05 DISCUSS ADVISORY: http://secunia.com/advisories/40842/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40842/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40842 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco ASA (Adaptive Security Appliance) 5500 Series, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) Three errors exist in the SunRPC inspection engine while processing certain SunRPC messages. This can be exploited to reload a device via specially crafted UDP SunRPC packets that transit the appliance. 3) An error in the Session Initiation Protocol (SIP) inspection feature can be exploited to trigger an appliance reload via a specially crafted SIP packet that transits the appliance via TCP or UDP port 5060. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: cisco-sa-20100804-asa: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Vulnerable Products +------------------ For specific version information, refer to the Software Versions and Fixes section of this advisory. A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, issue the "show service-policy | include sunrpc" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include sunrpc Inspect: sunrpc, packet 0, drop 0, reset-drop 0 The following configuration commands are used to enable SunRPC inspection in the Cisco ASA. class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, 8.2.x, and 8.3.x are affected by one or more of these vulnerabilities. A Cisco ASA device configured for any of the following features is affected: * Secure Socket Layer Virtual Private Network (SSL VPN) * When the affected device is configured to accept Cisco Adaptive Security Device Manager (ASDM) connections * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access when using HTTPS SSL VPN (or WebVPN) is enabled with the "enable <interface name>" command in "webvpn" configuration mode. SSL VPN is disabled by default. The following configuration snippet provides an example of a SSL VPN configuration. webvpn enable outside ... ASDM access is affected by three of these vulnerabilities. To use ASDM, the HTTPS server must be enabled to allow HTTPS connections to the Cisco ASA. The server can be enabled using the "http server enable [port]" command. The default port is 443. To specify hosts that can access the HTTP server internal to the security appliance, use the "http" command in global configuration mode. The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature was introduced in Cisco ASA version 8.0(2) and is disabled by default. To determine if the TLS Proxy for Encrypted Voice Inspection feature is enabled on the device, use the show tls-proxy command, as shown in the following example: ciscoasa# show tls-proxy Maximum number of sessions: 1200 TLS-Proxy 'sip_proxy': ref_cnt 1, seq# 3 Server proxy: Trust-point: local_ccm Client proxy: Local dynamic certificate issuer: LOCAL-CA-SERVER Local dynamic certificate key-pair: phone_common Cipher suite: aes128-sha1 aes256-sha1 Run-time proxies: Proxy 0xcbae1538: Class-map: sip_ssl, Inspect: sip Active sess 1, most sess 3, byte 3456043 ... <output truncated> TLS proxy supports SIP and Skinny protocols. TLS proxy for Skinny inspection can be enabled using the "inspect skinny <skinny_map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect skinny my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global Note: Secure SCCP uses TCP port 2443; however, it can be configured to a different port. TLS proxy for SIP inspection can be enabled using the "inspect sip <map> tls-proxy <proxy_name>", as shown in the following example: asa(config-pmap)# class inspection_default asa(config-pmap-c)# inspect sip my-inspect tls-proxy my-tls-proxy asa(config)# service-policy global_policy global The Cisco ASA is also vulnerable when the Cut-Through Proxy for Network Access feature is used with HTTPS. Versions 7.0.x, 7.1.x, 7.2.x are not affected. Versions 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the "show service-policy | include sip" command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... ! service-policy global_policy global Note: The service policy could also be applied to a specific interface instead of a global configuration shown in the previous example. IKE is not enabled by default. If IKE is enabled, the "isakmp enable <interface name>" command appears in the configuration. For more information, refer to the End of Life announcement at: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html How to Determine the Running Software Version ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.3(1): ASA#show version | include Version Cisco Adaptive Security Appliance Software Version 8.3(1) Device Manager Version 6.3(1) Customers who use Cisco ASDM to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. Products Confirmed Not Vulnerable +-------------------------------- With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities. It offers firewall, intrusion prevention system (IPS), anti-X, and VPN services. Sun RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services can run on any port. When a client attempts to access a Sun RPC service on a server, it must learn the port that service is running on. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities can be triggered by using UDP packets, not TCP. These vulnerabilities are documented in Cisco bug IDs CSCtc77567, CSCtc79922, and CSCtc85753; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1578, CVE-2010-1579, and CVE-2010-1580, respectively. Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet. A Cisco ASA device configured for SSL VPN, TLS Proxy for Encrypted Voice Inspection, or configured to accept ASDM management connections is vulnerable. These vulnerabilities are documented in Cisco bug IDs CSCtd32627, CSCtf37506, and CSCtf55259; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1581, CVE-2010-2814, and CVE-2010-2815, respectively. Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SIP, as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or "calls." SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the Cisco ASA can support any SIP VoIP gateways and VoIP proxy servers. To support SIP calls through the Cisco ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses. SIP inspection is enabled by default. Note: Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used in conjunction with the IPsec standard. A DoS vulnerability exists in the IKE implementation of the Cisco ASA. Note: Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is configured for IPsec remote access or site-to-site VPNs. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtc77567, CSCtc79922 and CSCtc85753 - SunRPC Inspection DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32627, CSCtf37506, and CSCtf55259- Transport Layer Security (TLS) DoS Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd32106 - Session Initiation Protocol (SIP) Inspection DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCte46507 - Crafted Internet Key Exchange (IKE) Message DoS Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities described in this security advisory may cause the affected device to reload. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | SunRPC Inspection DoS Vulnerabilities |---------+----------------| | (CSCtc77567, CSCtc79922, and | 8.0 | 8.0(5.19) | | CSCtc85753) |---------+----------------| | | 8.1 | 8.1(2.46) | | |---------+----------------| | | 8.2 | 8.2(2) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | 7.2(5) | | TLS DoS Vulnerabilities (CSCtd32627, |---------+----------------| | CSCtf37506, and CSCtf55259) | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.17) | | |---------+----------------| | | 8.3 | 8.3(1.6) | |----------------------------------------+---------+----------------| | | 7.0 | Not vulnerable | | |---------+----------------| | | 7.1 | Not vulnerable | | |---------+----------------| | | 7.2 | Not vulnerable | | SIP Inspection DoS Vulnerability |---------+----------------| | (CSCtd32106) | 8.0 | 8.0(5.17) | | |---------+----------------| | | 8.1 | 8.1(2.45) | | |---------+----------------| | | 8.2 | 8.2(2.13) | | |---------+----------------| | | 8.3 | Not vulnerable | |----------------------------------------+---------+----------------| | | 7.0 | 7.0(8.11) | | |---------+----------------| | | | Vulnerable; | | | 7.1 | migrate to | | | | 7.2(5) | | |---------+----------------| | IKE Message DoS Vulnerability | 7.2 | 7.2(5) | | (CSCte46507) |---------+----------------| | | 8.0 | 8.0(5.15) | | |---------+----------------| | | 8.1 | 8.1(2.44) | | |---------+----------------| | | 8.2 | 8.2(2.10) | | |---------+----------------| | | 8.3 | 8.3(1.1) | +-------------------------------------------------------------------+ Note: Cisco ASA Software versions 7.1.x are affected by some of the vulnerabilities in this advisory. However, no fixed 7.1.x software versions are planned because the 7.1.x major release has reached the End of Software Maintenance Releases milestone. Refer to the EOL/EOS for the Cisco ASA 5500 Series Adaptive Security Appliance Software v7.1 notice for further information: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/end_of_life_notice_cisco_asa_5500_series_adaptive_sec_app_sw.html Recommended Releases ~~~~~~~~~~~~~~~~~~~~ The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. +-------------------------------------------------------------------+ | Major Release | Recommended Release | |---------------------+---------------------------------------------| | 7.0 | 7.0(8.11) | |---------------------+---------------------------------------------| | 7.1 | Vulnerable; migrate to 7.2(5) | |---------------------+---------------------------------------------| | 7.2 | 7.2(5) | |---------------------+---------------------------------------------| | 8.0 | 8.0(5.19) | |---------------------+---------------------------------------------| | 8.1 | 8.1(2.47) | |---------------------+---------------------------------------------| | 8.2 | 8.2(2.17) | |---------------------+---------------------------------------------| | 8.3 | 8.3(2) | +-------------------------------------------------------------------+ Software Download ~~~~~~~~~~~~~~~~~ Cisco ASA Software versions 7.0(8.11), 8.0(5.19), 8.1(2.46), and 8.2(2.17) can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT?psrtdcat20e2 Cisco ASA Software versions 7.2(5) and 8.3(2) can be downloaded from: http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=279513386 Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. In addition to the recommendations described below, mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100804-asa.shtml SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These vulnerabilities can be mitigated by disabling SunRPC inspection if it is not required. Administrators can disable SunRPC inspection by issuing the "no inspect sunrpc" command in class configuration sub-mode within policy-map configuration. Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If SSL VPN (clientless or client-based) is not needed, it can be disabled by issuing the "clear configure webvpn" command. Administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the http command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration: hostname(config)# http 192.168.1.100 255.255.255.255 The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature can be disabled if it is not needed. Temporarily disabling the feature will mitigate these vulnerabilities. The Cut-Through Proxy for Network Access feature, when configured for HTTPS, is affected by these vulnerabilities. The only workaround is to disable the feature if not needed. To disable HTTPS Cut-Through Proxy authentication use the "no aaa authentication listener https" command, as shown in the following example: ASA(config)# no aaa authentication listener https inside port 443 Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This vulnerability can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the "no inspect sip" command in class configuration sub-mode within policy-map configuration. Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are no workarounds for this vulnerability apart from disabling IKE on the affected device. The "no crypto isakmp enable <interface-name>" command can be used to disable IKE on a specific interface. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. One of the TLS DoS vulnerabilities was reported to Cisco by CERT-FI. All the other vulnerabilities described in this advisory were found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-August-04 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMWYoH86n/Gc8U/uARAg8JAJ0W8ZSUZ0ldj0ncoIfxVKVuVeieygCgkLs4 GGmQ+3yNpX0udKpkA2431fg= =yQWz -----END PGP SIGNATURE-----

Unspecified vulnerability in the SunRPC inspection feature on the Cisco Firewall Services Module (FWSM) with software 3.1 before 3.1(17.2), 3.2 before 3.2(16.1), 4.0 before 4.0(10.1), and 4.1 before 4.1(1.1) for Catalyst 6500 series switches and 7600 series routers allows remote attackers to cause a denial of service (device reload) via crafted SunRPC messages, aka Bug ID CSCte61710. The Cisco Firewall Services Module is a firewall service module used on multiple cisco products. The Cisco FWSM is affected by three vulnerabilities that can cause device reloads when handling specially crafted SunRPC messages when SunRPC detection is enabled. Cisco ASA 5500 Series Adaptive Security Appliances and the FWSM for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers are prone to a denial-of-service vulnerability that affects the SunRPC inspection engine. An attacker can exploit this issue to cause affected devices to reload, triggering a denial-of-service condition. This issue is tracked by Cisco Bug IDs CSCtc77567 and CSCte61710. ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: Cisco Firewall Services Module Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA40843 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40843/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40843 RELEASE DATE: 2010-08-06 DISCUSS ADVISORY: http://secunia.com/advisories/40843/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40843/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40843 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Firewall Services Module (FWSM), which can be exploited by malicious people to cause a DoS (Denial of Service). 1) Three errors exist in the SunRPC inspection engine while processing certain SunRPC messages. SOLUTION: Update to a fixed version. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: cisco-sa-20100804-fwsm: http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Repeated exploitation could result in a sustained DoS condition. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for the vulnerabilities disclosed in this advisory. Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Affected versions of Cisco FWSM Software vary depending on the specific vulnerability. SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cisco FWSM Software version 3.x and 4.x are affected by these vulnerabilities only if SunRPC inspection is enabled. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, use the "show service-policy | include sunrpc" command and confirm that the command returns output, as shown in the following example: fwsm#show service-policy | include sunrpc Inspect: sunrpc , packet 0, drop 0, reset-drop 0 Alternatively, a device that has SunRPC inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... The advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml TCP Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cisco FWSM Software version 3.x and 4.x are affected by this vulnerability when configured in multi-mode (with virtual firewalls) and with any of the following features: * ASDM Administrative Access * Telnet * SSH To verify if the FWSM is running in multiple mode, use the "show mode" command, as shown in the following example: FWSM(config)#show mode Security context mode: multiple The flash mode is the SAME as the running mode. The following commands are used to enable the HTTPS server and allow only hosts on the inside interface with an address in the 192.168.1.0 /24 network to create ASDM, SSH or Telnet connections: asa(config)# http server enable asa(config)# http 192.168.1.0 255.255.255.0 inside asa(config)# telnet 192.168.1.0 255.255.255.0 inside asa(config)# ssh 192.168.1.0 255.255.255.0 inside Determining Software Versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine the version of Cisco FWSM Software that is running, issue the "show module" command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub modules are installed on the system. The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1) installed in slot 2: switch>show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06334NS9 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 3 8 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z 4 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD 5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.5(0.46)RFW Ok 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok 3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 5.1(6)E1 Ok 4 0014.a90c.66e6 to 0014.a90c.66ed 1.7 4.2(3) Ok 5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(18)SXF1 Ok [...] After locating the correct slot, issue the "show module <slot number>" command to identify the software version that is running, as shown in the following example: switch>show module 2 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok [...] The preceding example shows that the FWSM is running software version 3.2(2)10 as indicated by the column under "Sw." Note: Recent versions of Cisco IOS Software will show the software version of each module in the output from the "show module" command; therefore, executing the "show module <slot number>" command is not necessary. If a Virtual Switching System (VSS) is used to allow two physical Cisco Catalyst 6500 Series Switches to operate as a single logical virtual switch, the "show module switch all" command can display the software version of all FWSMs that belong to switch 1 and switch 2. The output from this command will be similar to the output from the "show module <slot number>" but will include module information for the modules in each switch in the VSS. Alternatively, version information can be obtained directly from the FWSM through the show version command, as shown in the following example: FWSM> show version FWSM Firewall Version 3.2(2)10 [...] Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following example. The FWSM offers firewall services with stateful packet filtering and deep packet inspection. Note: These vulnerabilities are only triggered by transit traffic; traffic that is destined to the device does not trigger these vulnerabilities. TCP Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You can partition a single FWSM into multiple virtual devices, known as security contexts. Each context has its own security policy, interfaces, and administrators. Multiple contexts are similar to multiple standalone devices. Many features are supported in multiple context mode, which includes routing tables, firewall features, and management. The Cisco FWSM is only affected by this vulnerability when is configured in multi-mode (with virtual firewalls) and configured to accept Telnet, SSH or ASDM connections. Note: A TCP three-way handshake is needed to exploit this vulnerability. This vulnerability is only triggered by traffic that is destined to the affected device; transit traffic does not trigger this vulnerability. This vulnerability is documented in Cisco bug ID CSCtg68694 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2821. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCte61710, CSCte61622, CSCte61662 - Passthrough traffic crashes FWSM with SunRPC inspection CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtg68694 - FWSM may crash with certain TCP sessions in multiple mode CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of all the vulnerabilities described in this security advisory may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-------------------------------------------------------------------+ | | Major | First | | Vulnerability | Release | Fixed | | | | Release | |--------------------------------------------+---------+------------| | | 3.1 | 3.1(17.2) | | |---------+------------| | SunRPC Inspection Denial of Service | 3.2 | 3.2(16.1) | | Vulnerabilities (CSCte61710, CSCte61622, |---------+------------| | and CSCte61662) | 4.0 | 4.0(10.1) | | |---------+------------| | | 4.1 | 4.1(1.1) | |--------------------------------------------+---------+------------| | | 3.1 | Not | | | | vulnerable | | |---------+------------| | TCP Denial of Service Vulnerability | 3.2 | 3.2(17.2) | | (CSCtg68694) |---------+------------| | | 4.0 | 4.0(11.1) | | |---------+------------| | | 4.1 | 4.1(1.2) | +-------------------------------------------------------------------+ Recommended Releases ~~~~~~~~~~~~~~~~~~~~ The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. Administrators can disable SunRPC inspection by issuing the "no inspect sunrpc" command in class configuration sub-mode within policy-map configuration. The TCP DoS vulnerability can be mitigated by only allowing trusted hosts to communicate with the FWSM via HTTPs, SSH, or Telnet. For example, the following commands are used to enable the HTTPS server and allow only hosts on the inside interface with an address in the 192.168.1.0/24 network to create ASDM, SSH or Telnet connections: asa(config)# http server enable asa(config)# http 192.168.1.0 255.255.255.0 inside asa(config)# telnet 192.168.1.0 255.255.255.0 inside asa(config)# ssh 192.168.1.0 255.255.255.0 inside Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100804-fwsm.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were found during the troubleshooting of customer service requests and internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-August-04 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMWMiN86n/Gc8U/uARAvJgAJ0S+X3dxciSvVwJbXA8vWnsb9lqkQCfcOna 6FAY8ScwLN4d+dsW3tBl5LU= =lHQS -----END PGP SIGNATURE-----

Unspecified vulnerability in the SunRPC inspection feature on the Cisco Firewall Services Module (FWSM) with software 3.1 before 3.1(17.2), 3.2 before 3.2(16.1), 4.0 before 4.0(10.1), and 4.1 before 4.1(1.1) for Catalyst 6500 series switches and 7600 series routers allows remote attackers to cause a denial of service (device reload) via crafted SunRPC messages, aka Bug ID CSCte61622. The Cisco Firewall Services Module is a firewall service module used on multiple cisco products. The Cisco FWSM is affected by three vulnerabilities that can cause device reloads when handling specially crafted SunRPC messages when SunRPC detection is enabled. Cisco ASA 5500 Series Adaptive Security Appliances and the FWSM for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers are prone to a denial-of-service vulnerability that affects the Sun RPC inspection engine. An attacker can exploit this issue to cause affected devices to reload, triggering a denial-of-service condition. This issue is tracked by Cisco Bug IDs CSCtc79922 and CSCte61622. ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: Cisco Firewall Services Module Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA40843 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40843/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40843 RELEASE DATE: 2010-08-06 DISCUSS ADVISORY: http://secunia.com/advisories/40843/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40843/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40843 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Firewall Services Module (FWSM), which can be exploited by malicious people to cause a DoS (Denial of Service). 1) Three errors exist in the SunRPC inspection engine while processing certain SunRPC messages. SOLUTION: Update to a fixed version. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: cisco-sa-20100804-fwsm: http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Repeated exploitation could result in a sustained DoS condition. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for the vulnerabilities disclosed in this advisory. Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Affected versions of Cisco FWSM Software vary depending on the specific vulnerability. SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cisco FWSM Software version 3.x and 4.x are affected by these vulnerabilities only if SunRPC inspection is enabled. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, use the "show service-policy | include sunrpc" command and confirm that the command returns output, as shown in the following example: fwsm#show service-policy | include sunrpc Inspect: sunrpc , packet 0, drop 0, reset-drop 0 Alternatively, a device that has SunRPC inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... The advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml TCP Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cisco FWSM Software version 3.x and 4.x are affected by this vulnerability when configured in multi-mode (with virtual firewalls) and with any of the following features: * ASDM Administrative Access * Telnet * SSH To verify if the FWSM is running in multiple mode, use the "show mode" command, as shown in the following example: FWSM(config)#show mode Security context mode: multiple The flash mode is the SAME as the running mode. The following commands are used to enable the HTTPS server and allow only hosts on the inside interface with an address in the 192.168.1.0 /24 network to create ASDM, SSH or Telnet connections: asa(config)# http server enable asa(config)# http 192.168.1.0 255.255.255.0 inside asa(config)# telnet 192.168.1.0 255.255.255.0 inside asa(config)# ssh 192.168.1.0 255.255.255.0 inside Determining Software Versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine the version of Cisco FWSM Software that is running, issue the "show module" command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub modules are installed on the system. The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1) installed in slot 2: switch>show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06334NS9 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 3 8 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z 4 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD 5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.5(0.46)RFW Ok 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok 3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 5.1(6)E1 Ok 4 0014.a90c.66e6 to 0014.a90c.66ed 1.7 4.2(3) Ok 5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(18)SXF1 Ok [...] After locating the correct slot, issue the "show module <slot number>" command to identify the software version that is running, as shown in the following example: switch>show module 2 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok [...] The preceding example shows that the FWSM is running software version 3.2(2)10 as indicated by the column under "Sw." Note: Recent versions of Cisco IOS Software will show the software version of each module in the output from the "show module" command; therefore, executing the "show module <slot number>" command is not necessary. If a Virtual Switching System (VSS) is used to allow two physical Cisco Catalyst 6500 Series Switches to operate as a single logical virtual switch, the "show module switch all" command can display the software version of all FWSMs that belong to switch 1 and switch 2. The output from this command will be similar to the output from the "show module <slot number>" but will include module information for the modules in each switch in the VSS. Alternatively, version information can be obtained directly from the FWSM through the show version command, as shown in the following example: FWSM> show version FWSM Firewall Version 3.2(2)10 [...] Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following example. The FWSM offers firewall services with stateful packet filtering and deep packet inspection. Note: These vulnerabilities are only triggered by transit traffic; traffic that is destined to the device does not trigger these vulnerabilities. TCP Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You can partition a single FWSM into multiple virtual devices, known as security contexts. Each context has its own security policy, interfaces, and administrators. Multiple contexts are similar to multiple standalone devices. Many features are supported in multiple context mode, which includes routing tables, firewall features, and management. The Cisco FWSM is only affected by this vulnerability when is configured in multi-mode (with virtual firewalls) and configured to accept Telnet, SSH or ASDM connections. Note: A TCP three-way handshake is needed to exploit this vulnerability. This vulnerability is only triggered by traffic that is destined to the affected device; transit traffic does not trigger this vulnerability. This vulnerability is documented in Cisco bug ID CSCtg68694 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2821. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCte61710, CSCte61622, CSCte61662 - Passthrough traffic crashes FWSM with SunRPC inspection CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtg68694 - FWSM may crash with certain TCP sessions in multiple mode CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of all the vulnerabilities described in this security advisory may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-------------------------------------------------------------------+ | | Major | First | | Vulnerability | Release | Fixed | | | | Release | |--------------------------------------------+---------+------------| | | 3.1 | 3.1(17.2) | | |---------+------------| | SunRPC Inspection Denial of Service | 3.2 | 3.2(16.1) | | Vulnerabilities (CSCte61710, CSCte61622, |---------+------------| | and CSCte61662) | 4.0 | 4.0(10.1) | | |---------+------------| | | 4.1 | 4.1(1.1) | |--------------------------------------------+---------+------------| | | 3.1 | Not | | | | vulnerable | | |---------+------------| | TCP Denial of Service Vulnerability | 3.2 | 3.2(17.2) | | (CSCtg68694) |---------+------------| | | 4.0 | 4.0(11.1) | | |---------+------------| | | 4.1 | 4.1(1.2) | +-------------------------------------------------------------------+ Recommended Releases ~~~~~~~~~~~~~~~~~~~~ The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. Administrators can disable SunRPC inspection by issuing the "no inspect sunrpc" command in class configuration sub-mode within policy-map configuration. The TCP DoS vulnerability can be mitigated by only allowing trusted hosts to communicate with the FWSM via HTTPs, SSH, or Telnet. For example, the following commands are used to enable the HTTPS server and allow only hosts on the inside interface with an address in the 192.168.1.0/24 network to create ASDM, SSH or Telnet connections: asa(config)# http server enable asa(config)# http 192.168.1.0 255.255.255.0 inside asa(config)# telnet 192.168.1.0 255.255.255.0 inside asa(config)# ssh 192.168.1.0 255.255.255.0 inside Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100804-fwsm.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were found during the troubleshooting of customer service requests and internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-August-04 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMWMiN86n/Gc8U/uARAvJgAJ0S+X3dxciSvVwJbXA8vWnsb9lqkQCfcOna 6FAY8ScwLN4d+dsW3tBl5LU= =lHQS -----END PGP SIGNATURE-----

Unspecified vulnerability in the SunRPC inspection feature on the Cisco Firewall Services Module (FWSM) with software 3.1 before 3.1(17.2), 3.2 before 3.2(16.1), 4.0 before 4.0(10.1), and 4.1 before 4.1(1.1) for Catalyst 6500 series switches and 7600 series routers allows remote attackers to cause a denial of service (device reload) via crafted SunRPC messages, aka Bug ID CSCte61662. The Cisco Firewall Services Module is a firewall service module used on multiple cisco products. The Cisco FWSM is affected by three vulnerabilities that can cause device reloads when handling specially crafted SunRPC messages when SunRPC detection is enabled. Cisco ASA 5500 Series Adaptive Security Appliances and the FWSM for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers are prone to a denial-of-service vulnerability that affects the Sun RPC inspection engine. An attacker can exploit this issue to cause affected devices to reload, triggering a denial-of-service condition. This issue is tracked by Cisco Bug IDs CSCtc85753 and CSCte61662. ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: Cisco Firewall Services Module Multiple Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA40843 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40843/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40843 RELEASE DATE: 2010-08-06 DISCUSS ADVISORY: http://secunia.com/advisories/40843/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40843/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40843 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Firewall Services Module (FWSM), which can be exploited by malicious people to cause a DoS (Denial of Service). 1) Three errors exist in the SunRPC inspection engine while processing certain SunRPC messages. SOLUTION: Update to a fixed version. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: cisco-sa-20100804-fwsm: http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Repeated exploitation could result in a sustained DoS condition. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for the vulnerabilities disclosed in this advisory. Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Affected versions of Cisco FWSM Software vary depending on the specific vulnerability. SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cisco FWSM Software version 3.x and 4.x are affected by these vulnerabilities only if SunRPC inspection is enabled. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, use the "show service-policy | include sunrpc" command and confirm that the command returns output, as shown in the following example: fwsm#show service-policy | include sunrpc Inspect: sunrpc , packet 0, drop 0, reset-drop 0 Alternatively, a device that has SunRPC inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... The advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml TCP Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cisco FWSM Software version 3.x and 4.x are affected by this vulnerability when configured in multi-mode (with virtual firewalls) and with any of the following features: * ASDM Administrative Access * Telnet * SSH To verify if the FWSM is running in multiple mode, use the "show mode" command, as shown in the following example: FWSM(config)#show mode Security context mode: multiple The flash mode is the SAME as the running mode. The following commands are used to enable the HTTPS server and allow only hosts on the inside interface with an address in the 192.168.1.0 /24 network to create ASDM, SSH or Telnet connections: asa(config)# http server enable asa(config)# http 192.168.1.0 255.255.255.0 inside asa(config)# telnet 192.168.1.0 255.255.255.0 inside asa(config)# ssh 192.168.1.0 255.255.255.0 inside Determining Software Versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine the version of Cisco FWSM Software that is running, issue the "show module" command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub modules are installed on the system. The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1) installed in slot 2: switch>show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06334NS9 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 3 8 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z 4 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD 5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.5(0.46)RFW Ok 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok 3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 5.1(6)E1 Ok 4 0014.a90c.66e6 to 0014.a90c.66ed 1.7 4.2(3) Ok 5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(18)SXF1 Ok [...] After locating the correct slot, issue the "show module <slot number>" command to identify the software version that is running, as shown in the following example: switch>show module 2 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok [...] The preceding example shows that the FWSM is running software version 3.2(2)10 as indicated by the column under "Sw." Note: Recent versions of Cisco IOS Software will show the software version of each module in the output from the "show module" command; therefore, executing the "show module <slot number>" command is not necessary. If a Virtual Switching System (VSS) is used to allow two physical Cisco Catalyst 6500 Series Switches to operate as a single logical virtual switch, the "show module switch all" command can display the software version of all FWSMs that belong to switch 1 and switch 2. The output from this command will be similar to the output from the "show module <slot number>" but will include module information for the modules in each switch in the VSS. Alternatively, version information can be obtained directly from the FWSM through the show version command, as shown in the following example: FWSM> show version FWSM Firewall Version 3.2(2)10 [...] Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following example. The FWSM offers firewall services with stateful packet filtering and deep packet inspection. Note: These vulnerabilities are only triggered by transit traffic; traffic that is destined to the device does not trigger these vulnerabilities. TCP Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You can partition a single FWSM into multiple virtual devices, known as security contexts. Each context has its own security policy, interfaces, and administrators. Multiple contexts are similar to multiple standalone devices. Many features are supported in multiple context mode, which includes routing tables, firewall features, and management. The Cisco FWSM is only affected by this vulnerability when is configured in multi-mode (with virtual firewalls) and configured to accept Telnet, SSH or ASDM connections. Note: A TCP three-way handshake is needed to exploit this vulnerability. This vulnerability is only triggered by traffic that is destined to the affected device; transit traffic does not trigger this vulnerability. This vulnerability is documented in Cisco bug ID CSCtg68694 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2821. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCte61710, CSCte61622, CSCte61662 - Passthrough traffic crashes FWSM with SunRPC inspection CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtg68694 - FWSM may crash with certain TCP sessions in multiple mode CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of all the vulnerabilities described in this security advisory may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-------------------------------------------------------------------+ | | Major | First | | Vulnerability | Release | Fixed | | | | Release | |--------------------------------------------+---------+------------| | | 3.1 | 3.1(17.2) | | |---------+------------| | SunRPC Inspection Denial of Service | 3.2 | 3.2(16.1) | | Vulnerabilities (CSCte61710, CSCte61622, |---------+------------| | and CSCte61662) | 4.0 | 4.0(10.1) | | |---------+------------| | | 4.1 | 4.1(1.1) | |--------------------------------------------+---------+------------| | | 3.1 | Not | | | | vulnerable | | |---------+------------| | TCP Denial of Service Vulnerability | 3.2 | 3.2(17.2) | | (CSCtg68694) |---------+------------| | | 4.0 | 4.0(11.1) | | |---------+------------| | | 4.1 | 4.1(1.2) | +-------------------------------------------------------------------+ Recommended Releases ~~~~~~~~~~~~~~~~~~~~ The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. Administrators can disable SunRPC inspection by issuing the "no inspect sunrpc" command in class configuration sub-mode within policy-map configuration. The TCP DoS vulnerability can be mitigated by only allowing trusted hosts to communicate with the FWSM via HTTPs, SSH, or Telnet. For example, the following commands are used to enable the HTTPS server and allow only hosts on the inside interface with an address in the 192.168.1.0/24 network to create ASDM, SSH or Telnet connections: asa(config)# http server enable asa(config)# http 192.168.1.0 255.255.255.0 inside asa(config)# telnet 192.168.1.0 255.255.255.0 inside asa(config)# ssh 192.168.1.0 255.255.255.0 inside Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100804-fwsm.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were found during the troubleshooting of customer service requests and internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-August-04 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMWMiN86n/Gc8U/uARAvJgAJ0S+X3dxciSvVwJbXA8vWnsb9lqkQCfcOna 6FAY8ScwLN4d+dsW3tBl5LU= =lHQS -----END PGP SIGNATURE-----

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell ZENWorks Remote Management. Access to a single node with Remote Management client installed and configured is required.The specific flaw exists within the storage of Remote Management authentication information on the client. The client utilizes a password stored in the registry that is common among all nodes. This can be exploited by an attacker to execute remote code on any target with the client installed. Novell ZENworks Configuration Management is a desktop management software that helps customers reduce their IT ownership costs. Novell ZENworks Server and desktop management have security vulnerabilities that allow malicious users to bypass some security restrictions. Novell ZENworks is prone to a security-bypass vulnerability. The following applications are vulnerable: Novell ZENworks for Servers 3.0.2 Novell ZENworks for Desktops 4 Novell ZENworks for Desktops 4.0.1 Novell ZENworks Server Management 7.ZSM7 SP1 Novell ZENworks Desktop Management 7.ZDM7 SP1. ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: Novell ZENworks Remote Management Password Authentication Security Issue SECUNIA ADVISORY ID: SA40838 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40838/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40838 RELEASE DATE: 2010-08-05 DISCUSS ADVISORY: http://secunia.com/advisories/40838/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40838/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40838 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue has been reported in Novell ZENworks Server and Desktop Management, which can be exploited by malicious people to bypass certain security restrictions. when a common password has been distributed via NAL or TED). SOLUTION: The vendor recommends disabling password mode of authentication in the Remote Management policy (disabled by default). Alternatively, the vendor suggests to only distribute a common password via NAL or TED in trusted environments. PROVIDED AND/OR DISCOVERED BY: The vendor credits TippingPoint ZDI. ORIGINAL ADVISORY: Novell: http://www.novell.com/support/viewContent.do?externalId=7006557&sliceId=1 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://www.novell.com/support/search.do?cmd=displayKC&amp;docType=kc&amp;externalId=7006557&amp;sliceId=1&amp;docTypeID=DT_TID_1_1&amp;dialogID=80488553&amp;stateId=1%200%2080486291 -- Disclosure Timeline: 2010-06-07 - Vulnerability reported to vendor 2010-08-09 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * sb -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

D-Link WBR-2310 is a wireless router device. D-Link WBR-2310 Web Server incorrectly filters specially constructed GET requests. Remote attackers can use the vulnerability to perform denial of service attacks on service programs. D-Link WBR-2310 is prone to a remote buffer-overflow vulnerability because it fails to bounds-check user-supplied input before copying it into an insufficiently sized memory buffer. This issue occurs in the device's webserver. D-Link WBR-2310 firmware version 1.04 is vulnerable; other versions may also be affected

The loginDefaultEncrypt algorithm in loginLib in Wind River VxWorks before 6.9 does not properly support a large set of distinct possible passwords, which makes it easier for remote attackers to obtain access via a (1) telnet, (2) rlogin, or (3) FTP session. It is relatively easy to find a string that has the same hash value as a regular password.Authentication by attacker API (loginLib) May be used to access services using. The hashing algorithm that is used in the standard authentication API for VxWorks is susceptible to collisions. An attacker can brute force a password by guessing a string that produces the same hash as a legitimate password. VxWorks is prone to a security vulnerability due to an insecure-hashing algorithm. The issue affects multiple products from multiple vendors that ship with the VxWorks operating system. NOTE: This document previously covered two vulnerabilities in VxWorks. The remote security-bypass issue has been moved to BID 42158 (VxWorks Debugging Service Security-Bypass Vulnerability) to allow for better documentation of both issues. This flaw occurs due to an insecure password hashing implementation in the authentication library (loginLib) of the VxWorks operating system. Regardless of what password is set for a particular account, there are a only small number (~210k) of possible hash outputs. Typical passwords consisting of alphanumeric characters and symbols fall within an even smaller range of hash outputs (~8k), making this trivial to brute force over the network. To excaberate matters, loginLib has no support for account lockouts and the FTP daemon does not disconnect clients that consistently fail to authenticate. This reduces the brute force time for the FTP service to approximately 30 minutes. To demonstrate the hash weakness, the password of "insecure" hashes to the value "Ry99dzRcy9". The password of "s{{{{{^O" also hashes to the same output. The hashing algorithm itself is based on an additive sum with a small XOR operation. The resulting sums are then transformed to a printable string, but the range of possible intermediate values is limited and mostly sequential. The entire collision table has been precomputed and will be released in early September as an input file for common brute force tools. More information about the hashing algorithm itself is available at the Metasploit blog post below: http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html There are three requirements for this vulnerability to be exploited: * The device must be running at least one service that uses loginLib for authentication. Telnet and FTP do so by default. * A valid username must be known to the attacker. This is usually easy to determine through product manuals or a cursory review of the firmware binaries. * The target service must be using with default loginLib library and must not have changed the authentication function to point to a custom backend. A typical VxWorks device will meet all three requirements by default, but customization by the device manufacturer may preclude this from being exploited. In general, if the device displays a VxWorks banner for Telnet or FTP, it is more than likely vulnerable. -- Vendor Response: Wind River Systems has notified their customers of the issue and suggested that each downstream vendor replace the existing hash implementation with SHA512 or SHA256. The exact extent of the vulnerability and the complete list of affected devices is not known at this time. Example code from Wind River Systems has been supplied to CERT and is included in the advisory below: http://www.kb.cert.org/vuls/id/840249 -- Disclosure Timeline: 2009-06-02 - Vulnerability reported to CERT for vendor notification 2009-08-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by HD Moore -- About Rapid7 Security Rapid7 provides vulnerability management, compliance and penetration testing solutions for Web application, network and database security. In addition to developing the NeXpose Vulnerability Management system, Rapid7 manages the Metasploit Project and is the primary sponsor of the W3AF web assessment tool. Our vulnerability disclosure policy is available online at: http://www.rapid7.com/disclosure.jsp

The loginDefaultEncrypt algorithm in loginLib in Wind River VxWorks before 6.9 does not properly support a large set of distinct possible passwords, which makes it easier for remote attackers to obtain access via a (1) telnet, (2) rlogin, or (3) FTP session. Some products based on VxWorks have the WDB target agent debug service enabled by default. This service provides read/write access to the device's memory and allows functions to be called. The VxWorks WDB target agent is a target-resident, run-time facility that is required for connecting host tools to a VxWorks target system during development. WDB is a selectable component in the VxWorks configuration and is enabled by default. The WDB debug agent access is not secured and does provide a security hole in a deployed system. It is advisable for production systems to reconfigure VxWorks with only those components needed for deployed operation and to build it as the appropriate type of system image. It is recommended to remove host development components such as the WDB target agent and debugging components (INCLUDE_WDB and INCLUDE_DEBUG) as well as other operating system components that are not required to support customer applications. Consult the VxWorks Kernel Programmer's guide for more information on WDB.Additional information can be found in ICS-CERT advisory ICSA-10-214-01 and on the Metasploit Blog. An attacker can use the debug service to fully compromise the device. The hashing algorithm that is used in the standard authentication API for VxWorks is susceptible to collisions. An attacker can brute force a password by guessing a string that produces the same hash as a legitimate password. VxWorks is an embedded real-time operating system. VxWorks has multiple security vulnerabilities that allow an attacker to bypass security restrictions and gain unauthorized access to the system. For example, when logging in with the default 'target/password', 'y{{{{{SS' will HASH out the same result as 'password'. So you can use 'password' and 'y{{{{{SS' as the password to log in. Vendor affected: TP-Link (http://tp-link.com) Products affected: * All TP-Link VxWorks-based devices (confirmed by vendor) * All "2-series" switches (confirmed by vendor) * TL-SG2008 semi-managed switch (confirmed by vendor) * TL-SG2216 semi-managed switch (confirmed by vendor) * TL-SG2424 semi-managed switch (confirmed by vendor) * TL-SG2424P semi-managed switch (confirmed by vendor) * TL-SG2452 semi-managed switch (confirmed by vendor) Vulnerabilities: * All previously-reported VxWorks vulnerabilities from 6.6.0 on; at the very least: * CVE-2013-0716 (confirmed by vendor) * CVE-2013-0715 (confirmed by vendor) * CVE-2013-0714 (confirmed by vendor) * CVE-2013-0713 (confirmed by vendor) * CVE-2013-0712 (confirmed by vendor) * CVE-2013-0711 (confirmed by vendor) * CVE-2010-2967 (confirmed by vendor) * CVE-2010-2966 (confirmed by vendor) * CVE-2008-2476 (confirmed by vendor) * SSLv2 is available and cannot be disabled unless HTTPS is completely disabled (allows downgrade attacks) (confirmed by vendor) * SSL (v2, v3) offers insecure cipher suites and HMACs which cannot be disabled (allows downgrade attacks) (confirmed by vendor) Design flaws: * Telnet is available and cannot be disabled (confirmed by vendor) * SSHv1 enabled by default if SSH is enabled (confirmed by vendor) Vendor response: TP-Link are not convinced that these flaws should be repaired. TP-Link's Internet presence -- or at least DNS -- is available only intermittently. Most emails bounced. Lost contact with vendor, but did confirm that development lead is now on holiday and will not return for at least a week. Initial vendor reaction was to recommend purchase of "3-series" switches. Vendor did not offer reasons why "3-series" switches would be more secure, apart from lack of telnet service. Vendor confirmed that no development time can be allocated to securing "2-series" product and all focus has shifted to newer products. (TL-SG2008 first product availability July 2014...) Vendor deeply confused about security of DES/3DES, MD5, claimed that all security is relative. ("...[E]ven SHA-1 can be cracked, they just have different security level.") Fix availability: None. Work-arounds advised: None possible. Remove products from network. R7-0034: VxWorks WDB Agent Debug Service Exposure August 2, 2010 -- Rapid7 Customer Protection: Rapid7 NeXpose customers have access to a vulnerability check for this flaw as of the latest update. More information about this check can be found online at: http://www.rapid7.com/vulndb/lookup/vxworks-wdbrpc-exposed -- Vulnerability Details: This vulnerability allows remote attackers to read memory, write memory, execute code, and ultimately take complete control of the affected device. This issue affects over 100 different vendors and a multitude of products, both shipping and end-of-life. A spreadsheet of identified products affected by this flaw can be found at the URL below. This index is not comprehensive and not all devices found are still supported. http://www.metasploit.com/data/confs/bsideslv2010/VxWorksDevices.xls This flaw occurs due to an insecure setting in the configuration file of the manufacturer's source code. This setting results in a system- debug service being exposed on UDP port 17185. More information about this issue can be found at the Metasploit blog: http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html -- Vendor Response: Wind River Systems has notified their customers of the issue and indicated that the WDB agent should be disabled for production builds. CERT has notified every vendor with an identified, shipping product containing this vulnerability. Responses for each specific vendor can be found in the CERT advisory: http://www.kb.cert.org/vuls/id/362332 -- Disclosure Timeline: 2010-06-02 - Vulnerability reported to CERT for vendor notification 2010-08-02 - Coordinated public release of advisory -- Credit: This vulnerability had been discovered in specific devices in multiple instances, first by Bennett Todd in 2002 and then Shawn Merdinger in 2005. A comprehensive analysis of all affected devices was conducted by HD Moore in 2010. -- About Rapid7 Security Rapid7 provides vulnerability management, compliance and penetration testing solutions for Web application, network and database security. In addition to developing the NeXpose Vulnerability Management system, Rapid7 manages the Metasploit Project and is the primary sponsor of the W3AF web assessment tool. Our vulnerability disclosure policy is available online at: http://www.rapid7.com/disclosure.jsp

The INCLUDE_SECURITY functionality in Wind River VxWorks 6.x, 5.x, and earlier uses the LOGIN_USER_NAME and LOGIN_USER_PASSWORD (aka LOGIN_PASSWORD) parameters to create hardcoded credentials, which makes it easier for remote attackers to obtain access via a (1) telnet, (2) rlogin, or (3) FTP session. Some products based on VxWorks have the WDB target agent debug service enabled by default. This service provides read/write access to the device's memory and allows functions to be called. The VxWorks WDB target agent is a target-resident, run-time facility that is required for connecting host tools to a VxWorks target system during development. WDB is a selectable component in the VxWorks configuration and is enabled by default. The WDB debug agent access is not secured and does provide a security hole in a deployed system. It is advisable for production systems to reconfigure VxWorks with only those components needed for deployed operation and to build it as the appropriate type of system image. It is recommended to remove host development components such as the WDB target agent and debugging components (INCLUDE_WDB and INCLUDE_DEBUG) as well as other operating system components that are not required to support customer applications. Consult the VxWorks Kernel Programmer's guide for more information on WDB.Additional information can be found in ICS-CERT advisory ICSA-10-214-01 and on the Metasploit Blog. An attacker can use the debug service to fully compromise the device. The hashing algorithm that is used in the standard authentication API for VxWorks is susceptible to collisions. An attacker can brute force a password by guessing a string that produces the same hash as a legitimate password. VxWorks is an embedded real-time operating system. VxWorks has multiple security vulnerabilities that allow an attacker to bypass security restrictions and gain unauthorized access to the system. For example, when logging in with the default 'target/password', 'y{{{{{SS' will HASH out the same result as 'password'. So you can use 'password' and 'y{{{{{SS' as the password to log in. Vendor affected: TP-Link (http://tp-link.com) Products affected: * All TP-Link VxWorks-based devices (confirmed by vendor) * All "2-series" switches (confirmed by vendor) * TL-SG2008 semi-managed switch (confirmed by vendor) * TL-SG2216 semi-managed switch (confirmed by vendor) * TL-SG2424 semi-managed switch (confirmed by vendor) * TL-SG2424P semi-managed switch (confirmed by vendor) * TL-SG2452 semi-managed switch (confirmed by vendor) Vulnerabilities: * All previously-reported VxWorks vulnerabilities from 6.6.0 on; at the very least: * CVE-2013-0716 (confirmed by vendor) * CVE-2013-0715 (confirmed by vendor) * CVE-2013-0714 (confirmed by vendor) * CVE-2013-0713 (confirmed by vendor) * CVE-2013-0712 (confirmed by vendor) * CVE-2013-0711 (confirmed by vendor) * CVE-2010-2967 (confirmed by vendor) * CVE-2010-2966 (confirmed by vendor) * CVE-2008-2476 (confirmed by vendor) * SSLv2 is available and cannot be disabled unless HTTPS is completely disabled (allows downgrade attacks) (confirmed by vendor) * SSL (v2, v3) offers insecure cipher suites and HMACs which cannot be disabled (allows downgrade attacks) (confirmed by vendor) Design flaws: * Telnet is available and cannot be disabled (confirmed by vendor) * SSHv1 enabled by default if SSH is enabled (confirmed by vendor) Vendor response: TP-Link are not convinced that these flaws should be repaired. TP-Link's Internet presence -- or at least DNS -- is available only intermittently. Most emails bounced. Lost contact with vendor, but did confirm that development lead is now on holiday and will not return for at least a week. Initial vendor reaction was to recommend purchase of "3-series" switches. Vendor did not offer reasons why "3-series" switches would be more secure, apart from lack of telnet service. Vendor confirmed that no development time can be allocated to securing "2-series" product and all focus has shifted to newer products. (TL-SG2008 first product availability July 2014...) Vendor deeply confused about security of DES/3DES, MD5, claimed that all security is relative. ("...[E]ven SHA-1 can be cracked, they just have different security level.") Fix availability: None. Work-arounds advised: None possible. Remove products from network. R7-0034: VxWorks WDB Agent Debug Service Exposure August 2, 2010 -- Rapid7 Customer Protection: Rapid7 NeXpose customers have access to a vulnerability check for this flaw as of the latest update. More information about this check can be found online at: http://www.rapid7.com/vulndb/lookup/vxworks-wdbrpc-exposed -- Vulnerability Details: This vulnerability allows remote attackers to read memory, write memory, execute code, and ultimately take complete control of the affected device. This issue affects over 100 different vendors and a multitude of products, both shipping and end-of-life. A spreadsheet of identified products affected by this flaw can be found at the URL below. This index is not comprehensive and not all devices found are still supported. http://www.metasploit.com/data/confs/bsideslv2010/VxWorksDevices.xls This flaw occurs due to an insecure setting in the configuration file of the manufacturer's source code. This setting results in a system- debug service being exposed on UDP port 17185. More information about this issue can be found at the Metasploit blog: http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html -- Vendor Response: Wind River Systems has notified their customers of the issue and indicated that the WDB agent should be disabled for production builds. CERT has notified every vendor with an identified, shipping product containing this vulnerability. Responses for each specific vendor can be found in the CERT advisory: http://www.kb.cert.org/vuls/id/362332 -- Disclosure Timeline: 2010-06-02 - Vulnerability reported to CERT for vendor notification 2010-08-02 - Coordinated public release of advisory -- Credit: This vulnerability had been discovered in specific devices in multiple instances, first by Bennett Todd in 2002 and then Shawn Merdinger in 2005. A comprehensive analysis of all affected devices was conducted by HD Moore in 2010. -- About Rapid7 Security Rapid7 provides vulnerability management, compliance and penetration testing solutions for Web application, network and database security. In addition to developing the NeXpose Vulnerability Management system, Rapid7 manages the Metasploit Project and is the primary sponsor of the W3AF web assessment tool. Our vulnerability disclosure policy is available online at: http://www.rapid7.com/disclosure.jsp

The WDB target agent debug service in Wind River VxWorks 6.x, 5.x, and earlier, as used on the Rockwell Automation 1756-ENBT series A with firmware 3.2.6 and 3.6.1 and other products, allows remote attackers to read or modify arbitrary memory locations, perform function calls, or manage tasks via requests to UDP port 17185, a related issue to CVE-2005-3804. Some products based on VxWorks have the WDB target agent debug service enabled by default. This service provides read/write access to the device's memory and allows functions to be called. The VxWorks WDB target agent is a target-resident, run-time facility that is required for connecting host tools to a VxWorks target system during development. WDB is a selectable component in the VxWorks configuration and is enabled by default. The WDB debug agent access is not secured and does provide a security hole in a deployed system. It is advisable for production systems to reconfigure VxWorks with only those components needed for deployed operation and to build it as the appropriate type of system image. It is recommended to remove host development components such as the WDB target agent and debugging components (INCLUDE_WDB and INCLUDE_DEBUG) as well as other operating system components that are not required to support customer applications. Consult the VxWorks Kernel Programmer's guide for more information on WDB.Additional information can be found in ICS-CERT advisory ICSA-10-214-01 and on the Metasploit Blog. An attacker can use the debug service to fully compromise the device. The hashing algorithm that is used in the standard authentication API for VxWorks is susceptible to collisions. An attacker can brute force a password by guessing a string that produces the same hash as a legitimate password. It is relatively easy to find a string that has the same hash value as a regular password.Authentication by attacker API (loginLib) May be used to access services using. The problem is CVE-2005-3804 May be related toBy a third party UDP An arbitrary memory area may be read or modified, a function call executed, or a task managed through a request to the port. VxWorks is an embedded real-time operating system. VxWorks has multiple security vulnerabilities that allow an attacker to bypass security restrictions and gain unauthorized access to the system. For example, when logging in with the default 'target/password', 'y{{{{{SS' will HASH out the same result as 'password'. So you can use 'password' and 'y{{{{{SS' as the password to log in. Permissions and access control vulnerabilities exist in the WDB Target Agent Debugging Service in Wind River VxWorks 6.x, 5.x and earlier. VxWorks is prone to a remote security-bypass vulnerability. Successful exploits will allow remote attackers to perform debugging tasks on the vulnerable device. The issue affects multiple products from multiple vendors that ship with the VxWorks operating system. NOTE: This issue was previously covered in BID 42114 (VxWorks Multiple Security Vulnerabilities) but has been separated into its own record to better document it. R7-0035: VxWorks Authentication Library Weak Password Hashing August 2, 2010 -- Vulnerability Details: This vulnerability allows remote attackers to bypass the authentication process for the Telnet and FTP services of the VxWorks operating system. This flaw occurs due to an insecure password hashing implementation in the authentication library (loginLib) of the VxWorks operating system. Regardless of what password is set for a particular account, there are a only small number (~210k) of possible hash outputs. Typical passwords consisting of alphanumeric characters and symbols fall within an even smaller range of hash outputs (~8k), making this trivial to brute force over the network. To excaberate matters, loginLib has no support for account lockouts and the FTP daemon does not disconnect clients that consistently fail to authenticate. This reduces the brute force time for the FTP service to approximately 30 minutes. To demonstrate the hash weakness, the password of "insecure" hashes to the value "Ry99dzRcy9". The hashing algorithm itself is based on an additive sum with a small XOR operation. The resulting sums are then transformed to a printable string, but the range of possible intermediate values is limited and mostly sequential. The entire collision table has been precomputed and will be released in early September as an input file for common brute force tools. More information about the hashing algorithm itself is available at the Metasploit blog post below: http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html There are three requirements for this vulnerability to be exploited: * The device must be running at least one service that uses loginLib for authentication. Telnet and FTP do so by default. * A valid username must be known to the attacker. This is usually easy to determine through product manuals or a cursory review of the firmware binaries. A typical VxWorks device will meet all three requirements by default, but customization by the device manufacturer may preclude this from being exploited. In general, if the device displays a VxWorks banner for Telnet or FTP, it is more than likely vulnerable. -- Vendor Response: Wind River Systems has notified their customers of the issue and suggested that each downstream vendor replace the existing hash implementation with SHA512 or SHA256. The exact extent of the vulnerability and the complete list of affected devices is not known at this time. Example code from Wind River Systems has been supplied to CERT and is included in the advisory below: http://www.kb.cert.org/vuls/id/840249 -- Disclosure Timeline: 2009-06-02 - Vulnerability reported to CERT for vendor notification 2009-08-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by HD Moore -- About Rapid7 Security Rapid7 provides vulnerability management, compliance and penetration testing solutions for Web application, network and database security. In addition to developing the NeXpose Vulnerability Management system, Rapid7 manages the Metasploit Project and is the primary sponsor of the W3AF web assessment tool. Our vulnerability disclosure policy is available online at: http://www.rapid7.com/disclosure.jsp

Integer overflow in IOSurface in Apple iOS before 4.0.2 on the iPhone and iPod touch, and before 3.2.2 on the iPad, allows local users to gain privileges via vectors involving IOSurface properties, as demonstrated by JailbreakMe. Successfully exploiting this issue can allow attackers to elevate privileges, leading to a complete compromise of the device. iOS versions 4.0.1 and prior are vulnerable. NOTE (August 12, 2010): This BID was previously titled 'Apple iOS Multiple Vulnerabilities' and included details about a remote code-execution vulnerability. Following further analysis, we determined that the remote code-execution issue was already documented in BID 42241 (FreeType Compact Font Format (CFF) Multiple Stack Based Buffer Overflow Vulnerabilities). ---------------------------------------------------------------------- "From 2007 to 2009 vulnerabilities in a typical end-user PC almost doubled from about 220 to 420." Non-Microsoft software to blame for increase in vulnerabilities affecting typical Windows end-users, read more: http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf ---------------------------------------------------------------------- TITLE: Apple iOS Security Bypass and PDF File Processing Vulnerability SECUNIA ADVISORY ID: SA40807 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40807/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40807 RELEASE DATE: 2010-08-03 DISCUSS ADVISORY: http://secunia.com/advisories/40807/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40807/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40807 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Apple iOS, which can be exploited by malicious people to compromise a user's system. 1) An error in the processing of PDF files can be exploited to execute arbitrary code e.g. when a user visits a specially crafted web page. 2) An unspecified error in the kernel can be exploited to gain escalated privileges. The vulnerabilities are reported in 4.0.1. Other versions may also be affected. NOTE: The vulnerabilities are currently exploited to jailbreak a vulnerable device. SOLUTION: Do not browse untrusted sites or follow links from untrusted sources. Do not open PDF files from untrusted sources. PROVIDED AND/OR DISCOVERED BY: comex, disclosed via jailbreakme.com OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload.c in FreeType before 2.4.2, as used in Apple iOS before 4.0.2 on the iPhone and iPod touch and before 3.2.2 on the iPad, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted CFF opcodes in embedded fonts in a PDF document, as demonstrated by JailbreakMe. NOTE: some of these details are obtained from third party information. FreeType 2 Is CFF A vulnerability exists in the handling of fonts. FreeType Is a library for handling various types of font files. FreeType 2 Is CFF A vulnerability exists in the processing of fonts that causes a stack corruption. Attack activity using this vulnerability has been confirmed.Crafted CFF Font FreeType 2 By loading it with an application that uses, arbitrary code may be executed by a remote third party. FreeType is prone to multiple stack-based buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will likely result in denial-of-service conditions. This BID has been updated to reflect details that may have been included in BID 42151. Apple iOS for iPhone, iPod touch, and iPad is prone to a local privilege-escalation vulnerability that affects the 'IOSurface' component. Successfully exploiting this issue can allow attackers to elevate privileges, leading to a complete compromise of the device. iOS versions 4.0.1 and prior are vulnerable. NOTE (August 12, 2010): This BID was previously titled 'Apple iOS Multiple Vulnerabilities' and included details about a remote code-execution vulnerability. Following further analysis, we determined that the remote code-execution issue was already documented in BID 42241 (FreeType Compact Font Format (CFF) Multiple Stack Based Buffer Overflow Vulnerabilities). It can be used to rasterize and map characters into bitmaps and provide support for other font-related businesses. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/freetype < 2.4.8 >= 2.4.8 Description =========== Multiple vulnerabilities have been discovered in FreeType. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All FreeType users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/freetype-2.4.8" References ========== [ 1 ] CVE-2010-1797 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1797 [ 2 ] CVE-2010-2497 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2497 [ 3 ] CVE-2010-2498 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2498 [ 4 ] CVE-2010-2499 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2499 [ 5 ] CVE-2010-2500 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2500 [ 6 ] CVE-2010-2519 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2519 [ 7 ] CVE-2010-2520 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2520 [ 8 ] CVE-2010-2527 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2527 [ 9 ] CVE-2010-2541 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2541 [ 10 ] CVE-2010-2805 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2805 [ 11 ] CVE-2010-2806 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2806 [ 12 ] CVE-2010-2807 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2807 [ 13 ] CVE-2010-2808 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2808 [ 14 ] CVE-2010-3053 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3053 [ 15 ] CVE-2010-3054 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3054 [ 16 ] CVE-2010-3311 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3311 [ 17 ] CVE-2010-3814 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3814 [ 18 ] CVE-2010-3855 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3855 [ 19 ] CVE-2011-0226 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0226 [ 20 ] CVE-2011-3256 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3256 [ 21 ] CVE-2011-3439 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3439 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-09.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). http://creativecommons.org/licenses/by-sa/2.5 . =========================================================== Ubuntu Security Notice USN-972-1 August 17, 2010 freetype vulnerabilities CVE-2010-1797, CVE-2010-2541, CVE-2010-2805, CVE-2010-2806, CVE-2010-2807, CVE-2010-2808 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libfreetype6 2.1.10-1ubuntu2.8 Ubuntu 8.04 LTS: libfreetype6 2.3.5-1ubuntu4.8.04.4 Ubuntu 9.04: libfreetype6 2.3.9-4ubuntu0.3 Ubuntu 9.10: libfreetype6 2.3.9-5ubuntu0.2 Ubuntu 10.04 LTS: libfreetype6 2.3.11-1ubuntu2.2 After a standard system update you need to restart your session to make all the necessary changes. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.1.10-1ubuntu2.8.diff.gz Size/MD5: 70961 d986f14b69d50fe1884e8dd5f9386731 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.1.10-1ubuntu2.8.dsc Size/MD5: 719 a91985ecc92b75aa3f3647506bad4039 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.1.10.orig.tar.gz Size/MD5: 1323617 adf145ce51196ad1b3054d5fb032efe6 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.1.10-1ubuntu2.8_amd64.deb Size/MD5: 717794 f332d5b1974aa53f200e4e6ecf9df088 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.1.10-1ubuntu2.8_amd64.deb Size/MD5: 440974 afa83868cc67cec692f72a9dc93635ff http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.1.10-1ubuntu2.8_amd64.deb Size/MD5: 133902 dca56851436275285b4563c96388a070 http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype6-udeb_2.1.10-1ubuntu2.8_amd64.udeb Size/MD5: 251958 358627e207009dbe0c5be095e7bed18d i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.1.10-1ubuntu2.8_i386.deb Size/MD5: 677592 ee43f5e97f31b8da57582dbdb1e63033 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.1.10-1ubuntu2.8_i386.deb Size/MD5: 416328 ef092c08ba2c167af0da25ab743ea663 http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.1.10-1ubuntu2.8_i386.deb Size/MD5: 117302 b2633ed4487657fe349fd3de76fce405 http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype6-udeb_2.1.10-1ubuntu2.8_i386.udeb Size/MD5: 227436 f55ab8a9bb7e76ad743f6c0fa2974e64 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.1.10-1ubuntu2.8_powerpc.deb Size/MD5: 708654 ee71c714e62e96a9af4cf7ba909142e6 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.1.10-1ubuntu2.8_powerpc.deb Size/MD5: 431036 4f1c6a1e28d3a14b593bef37605119ab http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.1.10-1ubuntu2.8_powerpc.deb Size/MD5: 134260 66ba7d95f551eaadb1bba5a56d76529d http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype6-udeb_2.1.10-1ubuntu2.8_powerpc.udeb Size/MD5: 241726 d2c4f13b12c8280b1fad56cdc0965502 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.1.10-1ubuntu2.8_sparc.deb Size/MD5: 683964 49df9101deb9a317229351d72b5804ec http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.1.10-1ubuntu2.8_sparc.deb Size/MD5: 411982 efaca20d5deec9e51be023710902852b http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.1.10-1ubuntu2.8_sparc.deb Size/MD5: 120138 ff723720ed499e40049e3487844b9db3 http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype6-udeb_2.1.10-1ubuntu2.8_sparc.udeb Size/MD5: 222676 71f172ba71fc507b04e5337d55b32ed6 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.3.5-1ubuntu4.8.04.4.diff.gz Size/MD5: 40949 1cc5014da4db8200edb54df32561fcd0 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.3.5-1ubuntu4.8.04.4.dsc Size/MD5: 907 7f698125814f4ca67a01b0a66d9bcfe9 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.3.5.orig.tar.gz Size/MD5: 1536077 4a5bdbe1ab92f3fe4c4816f9934a5ec2 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.3.5-1ubuntu4.8.04.4_amd64.deb Size/MD5: 694322 c740e1665d09a0c691163a543c8d650b http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.3.5-1ubuntu4.8.04.4_amd64.deb Size/MD5: 362386 5b085e83764fcda129bede2c5c4ca179 http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.3.5-1ubuntu4.8.04.4_amd64.deb Size/MD5: 221392 dbebbbaffc086dccf550468fff1daa92 http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype6-udeb_2.3.5-1ubuntu4.8.04.4_amd64.udeb Size/MD5: 258454 f3903d4e43891753f3c6439cd862617f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.3.5-1ubuntu4.8.04.4_i386.deb Size/MD5: 663330 7601af27049730f0f7afcfa30244ae88 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.3.5-1ubuntu4.8.04.4_i386.deb Size/MD5: 347172 de53a441e28e385598d20333ff636026 http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.3.5-1ubuntu4.8.04.4_i386.deb Size/MD5: 201266 c9c50bdc87d0a46fc43f3bbca26adec5 http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype6-udeb_2.3.5-1ubuntu4.8.04.4_i386.udeb Size/MD5: 243462 16bb61f604fe48a301f6faeaa094d266 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-dev_2.3.5-1ubuntu4.8.04.4_lpia.deb Size/MD5: 665120 bf0dcd13b8a171f6a740ca225d943e68 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6_2.3.5-1ubuntu4.8.04.4_lpia.deb Size/MD5: 347512 d2beee3ccf7fe0233825d46cc61ca62d http://ports.ubuntu.com/pool/universe/f/freetype/freetype2-demos_2.3.5-1ubuntu4.8.04.4_lpia.deb Size/MD5: 205560 7879f630a5356e3d6e9c0609e8008de9 http://ports.ubuntu.com/pool/universe/f/freetype/libfreetype6-udeb_2.3.5-1ubuntu4.8.04.4_lpia.udeb Size/MD5: 244324 4e10fb5e68a78312eb02c69508120c6a powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-dev_2.3.5-1ubuntu4.8.04.4_powerpc.deb Size/MD5: 687156 6d36300396fa84d6f889147b0247f385 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6_2.3.5-1ubuntu4.8.04.4_powerpc.deb Size/MD5: 358086 06b9874cc9ba11fdb6feb10b0831e890 http://ports.ubuntu.com/pool/universe/f/freetype/freetype2-demos_2.3.5-1ubuntu4.8.04.4_powerpc.deb Size/MD5: 235578 ce514bab4cbc028a0451742c38c633cd http://ports.ubuntu.com/pool/universe/f/freetype/libfreetype6-udeb_2.3.5-1ubuntu4.8.04.4_powerpc.udeb Size/MD5: 254526 d50f40a9421b52f4302c4d260170edb3 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-dev_2.3.5-1ubuntu4.8.04.4_sparc.deb Size/MD5: 658094 184f0f51023baa8ce459fababaa190d9 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6_2.3.5-1ubuntu4.8.04.4_sparc.deb Size/MD5: 332124 5aa036de5269896c893ea8f825329b84 http://ports.ubuntu.com/pool/universe/f/freetype/freetype2-demos_2.3.5-1ubuntu4.8.04.4_sparc.deb Size/MD5: 199782 9323f9209333cf42114e97d3305d901c http://ports.ubuntu.com/pool/universe/f/freetype/libfreetype6-udeb_2.3.5-1ubuntu4.8.04.4_sparc.udeb Size/MD5: 227810 7657e99ad137ad5ce654b74cfbbfdc10 Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.3.9-4ubuntu0.3.diff.gz Size/MD5: 44032 17b27322a6448d40599c55561209c940 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.3.9-4ubuntu0.3.dsc Size/MD5: 1311 5124a4df7016a625a631c1ff4661aae9 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.3.9.orig.tar.gz Size/MD5: 1624314 7b2ab681f1a436876ed888041204e478 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.3.9-4ubuntu0.3_amd64.deb Size/MD5: 729408 788a2af765a8356c4a7c01e893695b0b http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-udeb_2.3.9-4ubuntu0.3_amd64.udeb Size/MD5: 272950 a1f9a0ad0d036e5a14b073c139ce5408 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.3.9-4ubuntu0.3_amd64.deb Size/MD5: 407052 bfd510dc0c46a0f25dd3329693ee66a8 http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.3.9-4ubuntu0.3_amd64.deb Size/MD5: 226474 9b8e6c521d8629b9b1db2760209460a3 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.3.9-4ubuntu0.3_i386.deb Size/MD5: 697818 9176ee8649b8441333d7c5d9359c53a6 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-udeb_2.3.9-4ubuntu0.3_i386.udeb Size/MD5: 257896 c26f46491d69a174fa9cad126a3201cf http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.3.9-4ubuntu0.3_i386.deb Size/MD5: 392692 648d0605a187b74291b3233e5e4930e3 http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.3.9-4ubuntu0.3_i386.deb Size/MD5: 198834 0b41da08de5417a7db21e24e730e03d9 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-dev_2.3.9-4ubuntu0.3_lpia.deb Size/MD5: 698682 12c20dd647db986bd87a250d8706e8e8 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-udeb_2.3.9-4ubuntu0.3_lpia.udeb Size/MD5: 257736 dee60e4b8a1824d2aa13364ec0f01602 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6_2.3.9-4ubuntu0.3_lpia.deb Size/MD5: 392978 e19bcc3c8c0cec76227c64843b01516a http://ports.ubuntu.com/pool/universe/f/freetype/freetype2-demos_2.3.9-4ubuntu0.3_lpia.deb Size/MD5: 201636 a558e986b6c6e878e115126e7d3a28a5 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-dev_2.3.9-4ubuntu0.3_powerpc.deb Size/MD5: 720040 70c8792cddd9cfe45480f8d760dd0163 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-udeb_2.3.9-4ubuntu0.3_powerpc.udeb Size/MD5: 265790 b356a500845d045f431db6ef4db4f811 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6_2.3.9-4ubuntu0.3_powerpc.deb Size/MD5: 400532 91aa4eea6b8e9b67a721b552caab8468 http://ports.ubuntu.com/pool/universe/f/freetype/freetype2-demos_2.3.9-4ubuntu0.3_powerpc.deb Size/MD5: 227834 fa22e303b8d06dfb99a8c3c1f2980061 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-dev_2.3.9-4ubuntu0.3_sparc.deb Size/MD5: 689244 dff22369b1bb07d4ef7c6d9f474149db http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-udeb_2.3.9-4ubuntu0.3_sparc.udeb Size/MD5: 238164 cb1e597bd0065d2ffbad763a52088c1d http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6_2.3.9-4ubuntu0.3_sparc.deb Size/MD5: 372422 c6f36ae3119f8f17368d796943ba9908 http://ports.ubuntu.com/pool/universe/f/freetype/freetype2-demos_2.3.9-4ubuntu0.3_sparc.deb Size/MD5: 201390 c3f108859375787b11190d3c5a1d966b Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.3.9-5ubuntu0.2.diff.gz Size/MD5: 43530 f78681f1641b93f34d41ff4d6f31eb71 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.3.9-5ubuntu0.2.dsc Size/MD5: 1311 8a9a302e0a62f2dbe2a62aba456e2108 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.3.9.orig.tar.gz Size/MD5: 1624314 7b2ab681f1a436876ed888041204e478 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.3.9-5ubuntu0.2_amd64.deb Size/MD5: 731028 3b5ed0ad073cca0c1eee212b0e12f255 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-udeb_2.3.9-5ubuntu0.2_amd64.udeb Size/MD5: 275110 a23822489a0d7d45152f341b86f0df20 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.3.9-5ubuntu0.2_amd64.deb Size/MD5: 409362 ba180d650e17df6980ca09b8d1a109e1 http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.3.9-5ubuntu0.2_amd64.deb Size/MD5: 230774 a0a51691eefc0fb6e94d41c3282c3ab2 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.3.9-5ubuntu0.2_i386.deb Size/MD5: 696892 ad2164ed812ccd9cf7829659cff219c7 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-udeb_2.3.9-5ubuntu0.2_i386.udeb Size/MD5: 258710 c2d256e87eaee83ab83592247588bee7 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.3.9-5ubuntu0.2_i386.deb Size/MD5: 393912 c8d04b785d17066229bab50a3c13e1af http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.3.9-5ubuntu0.2_i386.deb Size/MD5: 195702 02aa03f1f62a61383d829b5bf494b7b0 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-dev_2.3.9-5ubuntu0.2_lpia.deb Size/MD5: 699382 ff8200917b43322062d2f3b5f3f6bab8 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-udeb_2.3.9-5ubuntu0.2_lpia.udeb Size/MD5: 259348 0395bdbaf357d161d0f1d3b257ae4732 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6_2.3.9-5ubuntu0.2_lpia.deb Size/MD5: 394122 8481f2e278a5da28b28ef0fa79207662 http://ports.ubuntu.com/pool/universe/f/freetype/freetype2-demos_2.3.9-5ubuntu0.2_lpia.deb Size/MD5: 198546 a3f0a848da83a64d14344b6744b33a90 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-dev_2.3.9-5ubuntu0.2_powerpc.deb Size/MD5: 719762 bd7185c852b151794c27f8c2ead4da94 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-udeb_2.3.9-5ubuntu0.2_powerpc.udeb Size/MD5: 264578 58a77cbf2ae4c2a447a81cce72f6b8c5 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6_2.3.9-5ubuntu0.2_powerpc.deb Size/MD5: 399118 c943fa66513b862ccb6ac99699c9e33c http://ports.ubuntu.com/pool/universe/f/freetype/freetype2-demos_2.3.9-5ubuntu0.2_powerpc.deb Size/MD5: 203834 842dd94d9b3fad52c0b1b6489775d2ea sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-dev_2.3.9-5ubuntu0.2_sparc.deb Size/MD5: 691054 557de31093ac67c2dedec97e55998295 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-udeb_2.3.9-5ubuntu0.2_sparc.udeb Size/MD5: 240534 f3c79ed9e84e7169851de3f432b613c3 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6_2.3.9-5ubuntu0.2_sparc.deb Size/MD5: 374982 e84af1b516f050ee9bdb93c213994943 http://ports.ubuntu.com/pool/universe/f/freetype/freetype2-demos_2.3.9-5ubuntu0.2_sparc.deb Size/MD5: 195786 599978c8d9cff2525eba228c793833c3 Updated packages for Ubuntu 10.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.3.11-1ubuntu2.2.diff.gz Size/MD5: 41646 9b97425327300eda74c492034fed50ad http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.3.11-1ubuntu2.2.dsc Size/MD5: 1313 b7b625334a0d9c926bf34cc83dcc904c http://security.ubuntu.com/ubuntu/pool/main/f/freetype/freetype_2.3.11.orig.tar.gz Size/MD5: 1709600 5aa22c0bc6aa3815b40a309ead2b9d1b amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.3.11-1ubuntu2.2_amd64.deb Size/MD5: 739530 db9147ce9477b7ab22374f89d24b24ca http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-udeb_2.3.11-1ubuntu2.2_amd64.udeb Size/MD5: 277536 35fc46f3c281aee82eeed4e00cfdacdc http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.3.11-1ubuntu2.2_amd64.deb Size/MD5: 434932 1bf8e620c3008504b87354470e7be9a5 http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.3.11-1ubuntu2.2_amd64.deb Size/MD5: 221434 4b4fcbd633bf1b3c2151617adae44835 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-dev_2.3.11-1ubuntu2.2_i386.deb Size/MD5: 704694 f58601afde2b4bc257492762654cbf94 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-udeb_2.3.11-1ubuntu2.2_i386.udeb Size/MD5: 260916 a540a7f9ae973bce66bbd3fdb9a4f849 http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2.3.11-1ubuntu2.2_i386.deb Size/MD5: 419000 d4a78ce7ae146caa59b61f43b27d363c http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-demos_2.3.11-1ubuntu2.2_i386.deb Size/MD5: 188710 e94b4202fcfe184fdf81409fe610a42a powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-dev_2.3.11-1ubuntu2.2_powerpc.deb Size/MD5: 728090 5f2e98a54cb2a0ac03591c387aacf461 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-udeb_2.3.11-1ubuntu2.2_powerpc.udeb Size/MD5: 266750 66bf2b146ab219d1b78e1887d0053f2a http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6_2.3.11-1ubuntu2.2_powerpc.deb Size/MD5: 424614 fd964644b45bbbc79729c9609c4b6bb8 http://ports.ubuntu.com/pool/universe/f/freetype/freetype2-demos_2.3.11-1ubuntu2.2_powerpc.deb Size/MD5: 196686 b88a8cebff19c95b6c9c161f7d1bb472 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-dev_2.3.11-1ubuntu2.2_sparc.deb Size/MD5: 707164 bf26d7cb1aa3f759ca31510f92888053 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6-udeb_2.3.11-1ubuntu2.2_sparc.udeb Size/MD5: 250768 100b4d4b270421fb1dcb503c88b547e8 http://ports.ubuntu.com/pool/main/f/freetype/libfreetype6_2.3.11-1ubuntu2.2_sparc.deb Size/MD5: 408132 b009cd0f1aafa500f8cc16273e9f2ed9 http://ports.ubuntu.com/pool/universe/f/freetype/freetype2-demos_2.3.11-1ubuntu2.2_sparc.deb Size/MD5: 198302 504ec3da9ee2048391e2c4035d7149fc . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://corelabs.coresecurity.com/ Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch 1. *Advisory Information* Title: Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch Advisory Id: CORE-2010-0825 Advisory URL: [http://www.coresecurity.com/content/Apple-OSX-ATSServer-CharStrings-Sign-Mismatch] Date published: 2010-11-08 Date of last update: 2010-11-08 Vendors contacted: Apple Release mode: User release 2. *Vulnerability Information* Class: Input validation error [CWE-20] Impact: Code execution Remotely Exploitable: Yes (client-side) Locally Exploitable: No CVE Name: CVE-2010-1797 Bugtraq ID: N/A 3. *Vulnerability Description* The Apple Type Services is prone to memory corruption due a sign mismatch vulnerability when handling the last offset value of the CharStrings INDEX structure. This vulnerability is a variation of the vulnerability labeled as CVE-2010-1797 (FreeType JailbreakMe iPhone exploit variation). 4. *Vulnerable packages* . Apple Mac OS X v10.5.x 5. *Solutions and Workarounds* According to information provided to us by Apple, a patch for this fix has already been developed. Apple provided us a release date for this patch in two opportunities but then failed to meet their our deadlines without giving us any notice or explanation. Apple Mac OSX 10.6 is not affected by this vulnerability, upgrading to this version is highly recommed when possible. 6. *Credits* This vulnerability was discovered and researched by Anibal Sacco [http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=researcher&name=Anibal_Sacco] and Matias Eissler [http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=researcher&name=Matias_Eissler], from Core Security Technologies. Publication was coordinated by Fernando Russ and Pedro Varangot. 7. *Technical Description* When loading a PDF with an embedded CFF font a sign mismatch error exists in ATSServer when handling the last offset value of the CharStrings INDEX structure. This could be triggered in different ways: . When trying to make a thumbnail of the file . When trying to open the file with the Preview app . Serving the file in a web server and tricking the user to click on it. Embedded in an email (if handled by Mail.app) This allows to corrupt the process memory by controlling the size parameter of a memcpy function call allowing an attacker to get code execution. At [00042AFA] we can see how the value obtained from the file is sign extended prior to be passed to the function loc_370F0. Inside this function this value will be used as the size parameter of memcpy: /----- 00042AF2 movsx eax, word ptr [edx+5Eh] 00042AF6 mov [esp+0Ch], eax 00042AFA movsx eax, word ptr [esi+4] 00042AFE mov [esp], edi 00042B01 mov [esp+8], eax 00042B05 mov eax, [ebp-2Ch] 00042B08 mov [esp+4], eax 00042B0C call loc_370F0 - -----/ An attacker could take advantage of this condition by setting a negative offset value (0xfffa) in the file that will be converted to a DWORD without enough validation leading to a memcpy of size 0xfffffffa. This vulnerability results in arbitrary code execution. 8. *Report Timeline* . 2010-08-26: Vendor contacted, a draft of this advisory is sent and September 28th is proposed as a coordinated publication date. Core remarks that since this is a variation of a publicly disclossed vulnerability it may have already been discovered by other security researchers like vulnerability research brokers or independent security researchers. 2010-08-28: The Apple Product Security team acknowledges the report, saying that they were able to reproduce the issue in Mac OS X 10.5 but not in Mac OS X 10.6, they also said that the deadline for September 28th will be imposible to meet. 2010-08-30: Core informs Apple that there is no problem changing the publication date for the report, whenever the new publication date remains reasonable. Also, Core asks for a tentive timeframe for the fix, and confirm that Mac OS X 10.6 does not seem to be affected. 2010-08-31: Apple acknowledges the comunication informing the publication timing, and state that they are still trying to determine the most appropiate timeframe. 2010-09-28: Core asks the vendor for an update regarding this issue. Also, Core asks for a specific timeframe for the fix, and sets October 18th as tentative publication date. 2010-09-28: Apple acknowledges the comunication informing that this issue will be fixed in the next security update of Mac OS X 10.5, which is tentatively scheduled for the end of October without a firm date of publication. 2010-08-31: Apple asks Core about credit information for the advisory. 2010-09-28: Core acknowledges the comunication sending the credit information for this report. 2010-10-20: Core asks Apple for a firm date for the release of this securiry issue since the initial propossed timeframe of October 18th is due. 2010-10-22: Apple acknowledges the comunication informing that the publication date is scheduled to the week of October 25th. Also, Apple notifies that the assigned identifier for this vulnerability is CVE-2010-1797. 2010-11-01: Core asks Apple for a new schedule for the publication, since there was no notice of any Apple security update during the week of October 25th. 2010-11-01: Apple acknowledges the communication informing that the publication date was rescheduled to the middle of the week of November 1st. 2010-11-03: Core informs Apple that the publication of this advisory was scheduled to Monday 8th, taking into account the last communication this is a final publication date. Core also informs that the information about how this vulnerability was found and how it can be exploited will be discussed in a small infosec related local event in Buenos Aires city. 2010-11-08: Core publishes advisory CORE-2010-0825. 9. *References* [1] [http://en.wikipedia.org/wiki/PostScript_fonts#Compact_Font_Format] 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com]. 11. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 12. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzYayoACgkQyNibggitWa2PMgCfSvLwR5OgWfmFIwpONWL+dMa3 njEAnjIZFF+zG/wWK3IscWx3VyNW5F30 =XULv -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:149 http://www.mandriva.com/security/ _______________________________________________________________________ Package : freetype2 Date : August 12, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been discovered and corrected in freetype2: Multiple stack overflow flaws have been reported in the way FreeType font rendering engine processed certain CFF opcodes. Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1797 https://bugzilla.redhat.com/show_bug.cgi?id=621144 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: e5b2f1ac6039b90de44e4c54a7dc15ad 2008.0/i586/libfreetype6-2.3.5-2.4mdv2008.0.i586.rpm ec559f7f70f91973c7c3337d170c2bf1 2008.0/i586/libfreetype6-devel-2.3.5-2.4mdv2008.0.i586.rpm 0f87bab9e3ba83faf24b13b13e8a16a5 2008.0/i586/libfreetype6-static-devel-2.3.5-2.4mdv2008.0.i586.rpm 0d6118b220d595e52174eb7cc2675980 2008.0/SRPMS/freetype2-2.3.5-2.4mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 5d3a64ac00fb880838ea068bceb28055 2008.0/x86_64/lib64freetype6-2.3.5-2.4mdv2008.0.x86_64.rpm d052dabc9b4f9fa41863eb8ca1fe334b 2008.0/x86_64/lib64freetype6-devel-2.3.5-2.4mdv2008.0.x86_64.rpm 281d278bf445567d29c510d0d27f7489 2008.0/x86_64/lib64freetype6-static-devel-2.3.5-2.4mdv2008.0.x86_64.rpm 0d6118b220d595e52174eb7cc2675980 2008.0/SRPMS/freetype2-2.3.5-2.4mdv2008.0.src.rpm Mandriva Linux 2009.0: ed81cc7ed3660ce94c3c6d00d556ac18 2009.0/i586/libfreetype6-2.3.7-1.3mdv2009.0.i586.rpm 325432a13a72aaf457847f4a205b9823 2009.0/i586/libfreetype6-devel-2.3.7-1.3mdv2009.0.i586.rpm bcd0dbb954f1a4e09d10e03556ea2497 2009.0/i586/libfreetype6-static-devel-2.3.7-1.3mdv2009.0.i586.rpm 373a3d35198adefaabfdb3d75c4359b1 2009.0/SRPMS/freetype2-2.3.7-1.3mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 4af7ec1921662eaa37e6a5b27998cdec 2009.0/x86_64/lib64freetype6-2.3.7-1.3mdv2009.0.x86_64.rpm c53e5285ea05fc68168a800df25a9556 2009.0/x86_64/lib64freetype6-devel-2.3.7-1.3mdv2009.0.x86_64.rpm 3a5b5a4aa2eec538b0479f066fa6e7e7 2009.0/x86_64/lib64freetype6-static-devel-2.3.7-1.3mdv2009.0.x86_64.rpm 373a3d35198adefaabfdb3d75c4359b1 2009.0/SRPMS/freetype2-2.3.7-1.3mdv2009.0.src.rpm Mandriva Linux 2009.1: ce6a11ba3156f8e1ac8339bf3c94f709 2009.1/i586/libfreetype6-2.3.9-1.4mdv2009.1.i586.rpm dc2573dc94973052652f2481651e927a 2009.1/i586/libfreetype6-devel-2.3.9-1.4mdv2009.1.i586.rpm aee56bcfbed1899495f00e87ddaed7ce 2009.1/i586/libfreetype6-static-devel-2.3.9-1.4mdv2009.1.i586.rpm aaa5a09d40624240e901b31d4f0e98c0 2009.1/SRPMS/freetype2-2.3.9-1.4mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 9e51fa000bb7e106189845ca6694ae15 2009.1/x86_64/lib64freetype6-2.3.9-1.4mdv2009.1.x86_64.rpm 2ec9a71562a8d40a8accaf967b3c2a75 2009.1/x86_64/lib64freetype6-devel-2.3.9-1.4mdv2009.1.x86_64.rpm 8e87a5ba6fd376aeceef71fe5b809f86 2009.1/x86_64/lib64freetype6-static-devel-2.3.9-1.4mdv2009.1.x86_64.rpm aaa5a09d40624240e901b31d4f0e98c0 2009.1/SRPMS/freetype2-2.3.9-1.4mdv2009.1.src.rpm Mandriva Linux 2010.0: faf191e76adc0e2f8f4bebfd97f36a49 2010.0/i586/libfreetype6-2.3.11-1.2mdv2010.0.i586.rpm 7202581d10580a63ba28eb4b0dce708c 2010.0/i586/libfreetype6-devel-2.3.11-1.2mdv2010.0.i586.rpm ecaad382e83f7005a1d76a585dfe879c 2010.0/i586/libfreetype6-static-devel-2.3.11-1.2mdv2010.0.i586.rpm 3c34f8f0e0352ef0a11c57d4eadc1ccd 2010.0/SRPMS/freetype2-2.3.11-1.2mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 9ffe17211ba4e4a6aa67e73e4c22e020 2010.0/x86_64/lib64freetype6-2.3.11-1.2mdv2010.0.x86_64.rpm eebaba0b5509b21da03a432699198342 2010.0/x86_64/lib64freetype6-devel-2.3.11-1.2mdv2010.0.x86_64.rpm 90e215bda5483ee6b5d5ca74bfedf7c0 2010.0/x86_64/lib64freetype6-static-devel-2.3.11-1.2mdv2010.0.x86_64.rpm 3c34f8f0e0352ef0a11c57d4eadc1ccd 2010.0/SRPMS/freetype2-2.3.11-1.2mdv2010.0.src.rpm Mandriva Linux 2010.1: 437be09971963217a5daef5dc04d451b 2010.1/i586/libfreetype6-2.3.12-1.2mdv2010.1.i586.rpm 42f5ddeeb25353a9fa20677112e9ae7c 2010.1/i586/libfreetype6-devel-2.3.12-1.2mdv2010.1.i586.rpm c77ce226104a1febd22c920c73a807f7 2010.1/i586/libfreetype6-static-devel-2.3.12-1.2mdv2010.1.i586.rpm 11f6a185216335c804f0988621dd637c 2010.1/SRPMS/freetype2-2.3.12-1.2mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: a4a5170f277a9654f19b208deab8027c 2010.1/x86_64/lib64freetype6-2.3.12-1.2mdv2010.1.x86_64.rpm 4637ff02b2739b2d29c94333f00ce59e 2010.1/x86_64/lib64freetype6-devel-2.3.12-1.2mdv2010.1.x86_64.rpm 20a9488e5100b9a4f925fb777e00248d 2010.1/x86_64/lib64freetype6-static-devel-2.3.12-1.2mdv2010.1.x86_64.rpm 11f6a185216335c804f0988621dd637c 2010.1/SRPMS/freetype2-2.3.12-1.2mdv2010.1.src.rpm Corporate 4.0: 516a71993da7404ae96b14699cb1aa5f corporate/4.0/i586/libfreetype6-2.1.10-9.11.20060mlcs4.i586.rpm 839108110543d3243a725c3c2153ea46 corporate/4.0/i586/libfreetype6-devel-2.1.10-9.11.20060mlcs4.i586.rpm 8c912e309a35917d533fcf3be251f662 corporate/4.0/i586/libfreetype6-static-devel-2.1.10-9.11.20060mlcs4.i586.rpm e6e59f81030a80f5a1704f130e34b3ec corporate/4.0/SRPMS/freetype2-2.1.10-9.11.20060mlcs4.src.rpm Corporate 4.0/X86_64: cf591c59af6e46e62609ff34892f52d3 corporate/4.0/x86_64/lib64freetype6-2.1.10-9.11.20060mlcs4.x86_64.rpm 55e0f089dee699185f317e863b12c590 corporate/4.0/x86_64/lib64freetype6-devel-2.1.10-9.11.20060mlcs4.x86_64.rpm 7eec0361fb43382f4aa9558e2698af89 corporate/4.0/x86_64/lib64freetype6-static-devel-2.1.10-9.11.20060mlcs4.x86_64.rpm e6e59f81030a80f5a1704f130e34b3ec corporate/4.0/SRPMS/freetype2-2.1.10-9.11.20060mlcs4.src.rpm Mandriva Enterprise Server 5: cfed1363663ad29113cb1655c3e56429 mes5/i586/libfreetype6-2.3.7-1.3mdvmes5.1.i586.rpm bfc520ee4832553381a304209442dcc1 mes5/i586/libfreetype6-devel-2.3.7-1.3mdvmes5.1.i586.rpm 92f6f546f2dad9a2bf7031261079294a mes5/i586/libfreetype6-static-devel-2.3.7-1.3mdvmes5.1.i586.rpm d32510c26f462ffb120f4c4284f412d4 mes5/SRPMS/freetype2-2.3.7-1.3mdvmes5.1.src.rpm Mandriva Enterprise Server 5/X86_64: 35c99bfa9c7a0799a4f304d3a2de2f11 mes5/x86_64/lib64freetype6-2.3.7-1.3mdvmes5.1.x86_64.rpm 9dcb3dfb3769618d8b2c93f3f4ba53db mes5/x86_64/lib64freetype6-devel-2.3.7-1.3mdvmes5.1.x86_64.rpm 165edd82ca0492d88d393e8a65ad5869 mes5/x86_64/lib64freetype6-static-devel-2.3.7-1.3mdvmes5.1.x86_64.rpm d32510c26f462ffb120f4c4284f412d4 mes5/SRPMS/freetype2-2.3.7-1.3mdvmes5.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMZBO6mqjQ0CJFipgRAvckAKCpFuRGLxgICBqETRTbXhdZpg8RywCgjKjm 46cbqAt0xVJvR5AdhA3z/FY= =T9it -----END PGP SIGNATURE-----