VARIoT IoT vulnerabilities database

Unspecified vulnerability in the Cluster Ready Services component in Oracle Database 10.1.0.5 allows remote attackers to affect availability via unknown vectors. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. ---------------------------------------------------------------------- Are you missing: SECUNIA ADVISORY ID: Critical: Impact: Where: within the advisory below? This is now part of the Secunia commercial solutions. For more information see vulnerability #6 through #9 in: SA34693 SOLUTION: The vendor recommends to delete the GdFileConv.exe file. See vendor's advisory for additional details. Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description The Oracle Critical Patch Update Advisory - April 2009 addresses 43 vulnerabilities in various Oracle products and components. The document provides information about affected components, access and authorization required for successful exploitation, and the impact from the vulnerabilities on data confidentiality, integrity, and availability. Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information. III. Solution Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed. IV. References * Oracle Critical Patch Update Advisory - April 2009 - <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html> * Critical Patch Updates and Security Alerts - <http://www.oracle.com/technology/deploy/security/alerts.htm> * Map of Public Vulnerability to Advisory/Alert - <http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-105A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History April 15, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4 2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy 11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw== =kziE -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Some have unknown impacts, others can be exploited by malicious users to conduct SQL injection attacks or disclose sensitive information, and by malicious people compromise a vulnerable system. 1) A format string error exists within the Oracle Process Manager and Notification (opmn) daemon, which can be exploited to execute arbitrary code via a specially crafted POST request to port 6000/TCP. 2) Input passed to the "DBMS_AQIN" package is not properly sanitised before being used. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 3) An error in the Application Express component included in Oracle Database can be exploited by unprivileged database users to disclose APEX password hashes in "LOWS_030000.WWV_FLOW_USER". The remaining vulnerabilities are caused due to unspecified errors. No more information is currently available. PROVIDED AND/OR DISCOVERED BY: 1) Joxean Koret of TippingPoint 2, 3) Alexander Kornbrust of Red Database Security The vendor also credits: * Joshua J. Drake of iDefense * Gerhard Eschelbeck of Qualys, Inc. * Esteban Martinez Fayo of Application Security, Inc. * Franz Huell of Red Database Security; * Mike Janowski of Neohapsis, Inc. * Joxean Koret * David Litchfield of NGS Software * Tanel Poder * Sven Vetter of Trivadis * Dennis Yurichev ORIGINAL ADVISORY: Oracle: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html ZDI: http://www.zerodayinitiative.com/advisories/ZDI-09-017/ Red Database Security: http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html http://www.red-database-security.com/advisory/apex_password_hashes.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the Workspace Manager component in Oracle Database 10.2.0.4 and 11.1.0.6 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2009-0975. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Team SHATTER Security Advisory Oracle Database SQL Injection vulnerability in LT.ROLLBACKWORKSPACE May 4, 2009 Risk Level: High Affected versions: Oracle Database Server version 10gR1 Remote exploitable: Yes (Authentication to Database Server is needed) Credits: This vulnerability was discovered and researched by Esteban Mart\xednez Fay\xf3 of Application Security Inc. Details: Oracle Database provides the "LT" PL/SQL package that is part of the Oracle Workspace Manager component (DBMS_WM public synonym). This package has a SQL Injection instance in ROLLBACKWORKSPACE procedure. Dependening on what Oracle Workspace Manager release is installed, this PL/SQL package is owned by SYS (on older releases) or by WMSYS (on newer releases). A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of the package owner, depending on the system configuration it can be SYS or WMSYS. Impact: By default [WM]SYS.LT has EXECUTE permission to PUBLIC so any Oracle Database user can exploit this vulnerability. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS or WMSYS privileges. Vendor Status: Vendor was contacted and a patch was released. Workaround: Restrict access to the [WM]SYS.LT package. CVE: CVE-2009-0978 Links: Application Security, Inc advisory: http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html Timeline: Vendor Notification - 8/22/2007 Fix - 4/14/2009 Public Disclosure - 5/04/2009 Application Security, Inc's database security solutions have helped over 1000 organizations secure their databases from all internal and external threats while also ensuring that those organizations meet or exceed regulatory compliance and audit requirements. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ---------------------------------------------------------------------- Are you missing: SECUNIA ADVISORY ID: Critical: Impact: Where: within the advisory below? This is now part of the Secunia commercial solutions. For more information see vulnerability #6 through #9 in: SA34693 SOLUTION: The vendor recommends to delete the GdFileConv.exe file. See vendor's advisory for additional details. Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description The Oracle Critical Patch Update Advisory - April 2009 addresses 43 vulnerabilities in various Oracle products and components. The document provides information about affected components, access and authorization required for successful exploitation, and the impact from the vulnerabilities on data confidentiality, integrity, and availability. Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information. III. Solution Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed. IV. References * Oracle Critical Patch Update Advisory - April 2009 - <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html> * Critical Patch Updates and Security Alerts - <http://www.oracle.com/technology/deploy/security/alerts.htm> * Map of Public Vulnerability to Advisory/Alert - <http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-105A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History April 15, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4 2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy 11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw== =kziE -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Some have unknown impacts, others can be exploited by malicious users to conduct SQL injection attacks or disclose sensitive information, and by malicious people compromise a vulnerable system. 1) A format string error exists within the Oracle Process Manager and Notification (opmn) daemon, which can be exploited to execute arbitrary code via a specially crafted POST request to port 6000/TCP. 2) Input passed to the "DBMS_AQIN" package is not properly sanitised before being used. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 3) An error in the Application Express component included in Oracle Database can be exploited by unprivileged database users to disclose APEX password hashes in "LOWS_030000.WWV_FLOW_USER". The remaining vulnerabilities are caused due to unspecified errors. No more information is currently available. PROVIDED AND/OR DISCOVERED BY: 1) Joxean Koret of TippingPoint 2, 3) Alexander Kornbrust of Red Database Security The vendor also credits: * Joshua J. Drake of iDefense * Gerhard Eschelbeck of Qualys, Inc. * Esteban Martinez Fayo of Application Security, Inc. * Franz Huell of Red Database Security; * Mike Janowski of Neohapsis, Inc. * Joxean Koret * David Litchfield of NGS Software * Tanel Poder * Sven Vetter of Trivadis * Dennis Yurichev ORIGINAL ADVISORY: Oracle: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html ZDI: http://www.zerodayinitiative.com/advisories/ZDI-09-017/ Red Database Security: http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html http://www.red-database-security.com/advisory/apex_password_hashes.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the Workspace Manager component in Oracle Database 11.1.0.6, 11.1.0.7, 10.2.0.3, 10.2.0.4, 10.1.0.5, 9.2.0.8, and 9.2.0.8DV allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. ---------------------------------------------------------------------- Are you missing: SECUNIA ADVISORY ID: Critical: Impact: Where: within the advisory below? This is now part of the Secunia commercial solutions. For more information see vulnerability #6 through #9 in: SA34693 SOLUTION: The vendor recommends to delete the GdFileConv.exe file. See vendor's advisory for additional details. Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description The Oracle Critical Patch Update Advisory - April 2009 addresses 43 vulnerabilities in various Oracle products and components. The document provides information about affected components, access and authorization required for successful exploitation, and the impact from the vulnerabilities on data confidentiality, integrity, and availability. Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information. III. Solution Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed. IV. References * Oracle Critical Patch Update Advisory - April 2009 - <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html> * Critical Patch Updates and Security Alerts - <http://www.oracle.com/technology/deploy/security/alerts.htm> * Map of Public Vulnerability to Advisory/Alert - <http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-105A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History April 15, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4 2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy 11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw== =kziE -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Some have unknown impacts, others can be exploited by malicious users to conduct SQL injection attacks or disclose sensitive information, and by malicious people compromise a vulnerable system. 1) A format string error exists within the Oracle Process Manager and Notification (opmn) daemon, which can be exploited to execute arbitrary code via a specially crafted POST request to port 6000/TCP. 2) Input passed to the "DBMS_AQIN" package is not properly sanitised before being used. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 3) An error in the Application Express component included in Oracle Database can be exploited by unprivileged database users to disclose APEX password hashes in "LOWS_030000.WWV_FLOW_USER". The remaining vulnerabilities are caused due to unspecified errors. No more information is currently available. PROVIDED AND/OR DISCOVERED BY: 1) Joxean Koret of TippingPoint 2, 3) Alexander Kornbrust of Red Database Security The vendor also credits: * Joshua J. Drake of iDefense * Gerhard Eschelbeck of Qualys, Inc. * Esteban Martinez Fayo of Application Security, Inc. * Franz Huell of Red Database Security; * Mike Janowski of Neohapsis, Inc. * Joxean Koret * David Litchfield of NGS Software * Tanel Poder * Sven Vetter of Trivadis * Dennis Yurichev ORIGINAL ADVISORY: Oracle: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html ZDI: http://www.zerodayinitiative.com/advisories/ZDI-09-017/ Red Database Security: http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html http://www.red-database-security.com/advisory/apex_password_hashes.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-1012. Reason: This candidate is a reservation duplicate of CVE-2009-1012. Notes: All CVE users should reference CVE-2009-1012 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. ====================================================================== Secunia Research 15/04/2009 - Oracle BEA WebLogic Server Plug-ins Integer Overflow - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software * Oracle BEA WebLogic Server Plug-ins version 1.0.1166189. NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: System access Where: From Remote ====================================================================== 3) Vendor's Description of Software "... the world's best application server for building and deploying enterprise applications and services ...". Product Link: http://www.oracle.com/technology/products/weblogic/index.html ====================================================================== 4) Description of Vulnerability Secunia Research has discovered a vulnerability in the Oracle BEA WebLogic Server plug-ins for web servers, which can be exploited by malicious people to compromise a vulnerable system. The Oracle BEA WebLogic Server can be configured to receive requests via an Apache, Sun, or IIS web server. In this case, a plug-in is installed in the Internet-facing web server that passes the request to a WebLogic server. An integer overflow when parsing HTTP requests can be exploited to cause a heap-based buffer overflow. Successful exploitation may allow execution of arbitrary code. ====================================================================== 5) Solution Apply patches released by the vendor. ====================================================================== 6) Time Table 01/03/2009 - Vendor notified. 06/03/2009 - Vendor response requesting more information. 06/03/2009 - Sent PoC to vendor. 10/03/2009 - Vendor confirms vulnerability. 12/03/2009 - Vendor requests more information. 15/03/2009 - Supplemental information sent to vendor. 17/03/2009 - Vendor confirms and provides preliminary patch. 15/04/2009 - Public disclosure. ====================================================================== 7) Credits Discovered by Dyon Balding, Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2009-0189 for the vulnerability. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-22/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================

Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, and 9.0 allows remote attackers to affect integrity via unknown vectors related to "access to source code of web pages.". Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description The Oracle Critical Patch Update Advisory - April 2009 addresses 43 vulnerabilities in various Oracle products and components. The document provides information about affected components, access and authorization required for successful exploitation, and the impact from the vulnerabilities on data confidentiality, integrity, and availability. Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information. III. Solution Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed. IV. References * Oracle Critical Patch Update Advisory - April 2009 - <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html> * Critical Patch Updates and Security Alerts - <http://www.oracle.com/technology/deploy/security/alerts.htm> * Map of Public Vulnerability to Advisory/Alert - <http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-105A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History April 15, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4 2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy 11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw== =kziE -----END PGP SIGNATURE-----

Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances 7.1(1) through 7.1(2)82, 7.2 before 7.2(4)27, 8.0 before 8.0(4)25, and 8.1 before 8.1(2)15, when AAA override-account-disable is entered in a general-attributes field, allow remote attackers to bypass authentication and establish a VPN session to an ASA device via unspecified vectors. Remote attackers can exploit these issues to cause an affected device to reload, to force network traffic to bypass ACL rules, or to gain unauthorized access to an affected device. Successful exploits may facilitate further attacks. These issues are documented by the following Cisco Bug IDs: CSCsx47543 further documents the issue tracked by CVE-2009-1155. CSCsv52239 further documents the issue tracked by CVE-2009-1156. CSCsy22484 further documents the issue tracked by CVE-2009-1157. CSCsx32675 further documents the issue tracked by CVE-2009-1158. CSCsw51809 further documents the issue tracked by CVE-2009-1159. CSCsq91277 further documents the issue tracked by CVE-2009-1160. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml. Affected Products ================= Vulnerable Products +------------------ The following is a list of the products affected by each vulnerability as described in detail within this advisory. Note: The Override Account Disabled feature was introduced in Cisco ASA software version 7.1(1). This feature is disabled by default. Only Cisco ASA software versions 8.0 and 8.1 are affected by this vulnerability. Cisco ASA and Cisco PIX security appliances running versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected when configured for any of the following features: * SSL VPNs * ASDM Administrative Access * Telnet Access * SSH Access * Cisco Tunneling Control Protocol (cTCP) for Remote Access VPNs * Virtual Telnet * Virtual HTTP * Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access * TCP Intercept Crafted H.323 Packet DoS Vulnerability +------------------------------------- Cisco ASA and Cisco PIX security appliances may experience a device reload that can be triggered by a series of crafted H.323 packets, when H.323 inspection is enabled. H.323 inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability. SQL*Net inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected by this vulnerability. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this vulnerability. Determination of Software Versions +--------------------------------- The "show version" command-line interface (CLI) command can be used to determine whether a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA Adaptive Security Appliance that runs software version 8.0(4): ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) <output truncated> The following example shows a Cisco PIX security appliance that runs software version 8.0(4): PIX#show version Cisco PIX Security Appliance Software Version 8.0(4) Device Manager Version 5.2(3) <output truncated> Customers who use Cisco ASDM to manage their devices can find the software version displayed in the table in the login window or in the upper left corner of the ASDM window. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers and Cisco VPN 3000 Series Concentrators are not affected by any of these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. However, the user must provide the correct credentials in order to login to the VPN. Note: The override account feature was introduced in Cisco ASA software version 7.1(1). The override account feature is enabled with the "override-account-disable" command in "tunnel-group general-attributes" configuration mode, as shown in the following example. The following example allows overriding the "account-disabled" indicator from the AAA server for the WebVPN tunnel group "testgroup": hostname(config)#tunnel-group testgroup type webvpn hostname(config)#tunnel-group testgroup general-attributes hostname(config-tunnel-general)#override-account-disable Note: The override account feature is disabled by default. Crafted HTTP Packet DoS Vulnerability +------------------------------------ A crafted SSL or HTTP packet may cause a DoS condition on a Cisco ASA device that is configured to terminate SSL VPN connections. This vulnerability can also be triggered to any interface where ASDM access is enabled. A successful attack may result in a reload of the device. A TCP three-way handshake is not needed to exploit this vulnerability. Crafted TCP Packet DoS Vulnerability +----------------------------------- A crafted TCP packet may cause a memory leak on a Cisco ASA or Cisco PIX device. A successful attack may result in a sustained DoS condition. A Cisco ASA device configured for any of the following features is affected: * SSL VPNs * ASDM Administrative Access * Telnet Access * SSH Access * cTCP for Remote Access VPNs * Virtual Telnet * Virtual HTTP * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access * TCP Intercept Note: This vulnerability may be triggered when crafted packets are sent to any TCP based service that terminates on the affected device. The vulnerability may also be triggered via transient traffic only if the TCP intercept features has been enabled. A TCP three-way handshake is not needed to exploit this vulnerability. Crafted H.323 Packet DoS Vulnerability +------------------------------------- A crafted H.323 packet may cause a DoS condition on a Cisco ASA device that is configured with H.323 inspection. H.323 inspection is enabled by default. A successful attack may result in a reload of the device. A TCP three-way handshake is not needed to exploit this vulnerability. A series of SQL*Net packets may cause a denial of service condition on a Cisco ASA and Cisco PIX device that is configured with SQL*Net inspection. SQL*Net inspection is enabled by default. A successful attack may result in a reload of the device. The default port assignment for SQL*Net is TCP port 1521. This is the value used by Oracle for SQL*Net. Please note the "class-map" command can be used in the Cisco ASA or Cisco PIX to apply SQL*Net inspection to a range of different port numbers. A TCP three-way handshake is needed to exploit this vulnerability. The requirement of a TCP three way handshake significantly reduces the possibility of exploitation using packets with spoofed source addresses. Access Control List Bypass Vulnerability +--------------------------------------- Access lists have an implicit deny behavior that is applied to packets that have not matched any of the permit or deny ACEs in an ACL and reach the end of the ACL. This implicit deny is there by design, does not require any configuration and can be understood as an implicit ACE that denies all traffic reaching the end of the ACL. A vulnerability exists in the Cisco ASA and Cisco PIX that may allow traffic to bypass the implicit deny ACE. Note: This behavior only impacts the implicit deny statement on any ACL applied on the device. Access control lists with explicit deny statements are not affected by this vulnerability. This vulnerability is experienced in very rare occasions and extremely hard to reproduce. You can trace the lifespan of a packet through the security appliance to see whether the packet is operating correctly with the packet tracer tool. The "packet-tracer" command provides detailed information about the packets and how they are processed by the security appliance. If a command from the configuration did not cause the packet to drop, the "packet-tracer" command will provide information about the cause in an easily readable manner. You can use this feature to see if the implicit deny on an ACL is not taking effect. The following example shows that the implicit deny is bypassed (result = ALLOW): <output truncated> ... Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1a09d350, priority=1, domain=permit, deny=false hits=1144595557, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 <output truncated> This vulnerability is documented in Cisco Bug ID CSCsq91277 and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1160. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * AAA account-override-ignore allows VPN session without correct password (CSCsx47543) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.8 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may crash with certain HTTP packets (CSCsv52239) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may crash after processing certain TCP packets (CSCsy22484) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crafted H.323 packet may cause ASA to reload (CSCsx32675) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * sqlnet traffic causes traceback with inspection configured (CSCsw51809) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * ACL Misbehavior in Cisco ASA (CSCsq91277) CVSS Base Score - 4.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 3.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the VPN Authentication Bypass when Account Override Feature is Used vulnerability may allow an attacker to successfully connect to the Cisco ASA via remote access IPSec or SSL-based VPN. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the ACL bypass vulnerability may allow an attacker to access resources that should be protected by the Cisco ASA. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following table contains the first fixed software release of each vulnerability. The "Recommended Release" row indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a version of the given release in a specific row (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Release" row of the table. +------------------------------------------------------+ | | Affected | First | Recommended | | Vulnerability | Release | Fixed | Release | | | | Version | | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | VPN | | vulnerable | | |Authentication |----------+------------+-------------| | Bypass when | 7.1 | 7.1(2)82 | 7.1(2)82 | |Account |----------+------------+-------------| | Override | 7.2 | 7.2(4)27 | 7.2(4)30 | |Feature is |----------+------------+-------------| | Used | 8.0 | 8.0(4)25 | 8.0(4)28 | |Vulnerability |----------+------------+-------------| | | 8.1 | 8.1(2)15 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | | | vulnerable | | | |----------+------------+-------------| | | 7.1 | Not | 7.1(2)82 | | Crafted HTTP | | vulnerable | | |packet DoS |----------+------------+-------------| | Vulnerability | 7.2 | Not | 7.2(4)30 | | | | vulnerable | | | |----------+------------+-------------| | | 8.0 | 8.0(4)25 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)15 | 8.1(2)16 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)6 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)82 | 7.1(2)82 | |Crafted TCP |----------+------------+-------------| | Packet DoS | 7.2 | 7.2(4)30 | 7.2(4)30 | |Vulnerability |----------+------------+-------------| | | 8.0 | 8.0(4)28 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)19 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)6 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)82 | 7.1(2)82 | |Crafted H.323 |----------+------------+-------------| | packet DoS | 7.2 | 7.2(4)26 | 7.2(4)30 | |Vulnerability |----------+------------+-------------| | | 8.0 | 8.0(4)24 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)14 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | | | vulnerable | | | |----------+------------+-------------| | | 7.1 | Not | 7.1(2)82 | | Crafted SQL | | vulnerable | | |packet DoS |----------+------------+-------------| | vulnerability | 7.2 | 7.2(4)26 | 7.2(4)30 | | |----------+------------+-------------| | | 8.0 | 8.0(4)22 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)12 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)1 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)74 | 7.1(2)82 | |Access control |----------+------------+-------------| | list (ACL) | 7.2 | 7.2(4)9 | 7.2(4)30 | |bypass |----------+------------+-------------| | vulnerability | 8.0 | 8.0(4)5 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | Not | 8.1(2)19 | | | | vulnerable | | +------------------------------------------------------+ Fixed Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT Fixed Cisco PIX software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. VPN Authentication Bypass Vulnerability +-------------------------------------- The override account feature is enabled with the "override-account-disable" command in "tunnel-group general-attributes" configuration mode. As a workaround, disable this feature using the "no override-account-disable" command. Crafted HTTP Packet DoS Vulnerability +------------------------------------ Devices configured for SSL VPN (clientless or client-based) or accepting ASDM management connections are vulnerable. Note: IPSec clients are not vulnerable to this vulnerability. If SSL VPN (clientless or client-based) is not used, administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the "http" command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration: hostname(config)# http 192.168.1.100 255.255.255.255 Crafted TCP Packet DoS Vulnerability +----------------------------------- There are no workarounds for this vulnerability. Crafted H.323 Packet DoS Vulnerability +------------------------------------- H.323 inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. H.323 inspection can be disabled with the command "no inspect h323". SQL*Net Packet DoS Vulnerability +------------------------------- SQL*Net inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. SQL*Net inspection can be disabled with the command "no inspect sqlnet". Access Control List (ACL) Bypass Vulnerability +--------------------------------------------- As a workaround, remove the "access-group" line applied on the interface where the ACL is configured and re-apply it. For example: ASA(config)#no access-group acl-inside in interface inside ASA(config)#access-group acl-inside in interface inside In the previous example the access group called "acl-inside" is removed and reapplied to the inside interface. Alternatively, you can add an explicit "deny ip any any" line in the bottom of the ACL applied on that interface. For example: ASA(config)#access-list 100 deny ip any any In the previous example, an explicit deny for all IP traffic is added at the end of "access-list 100". Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090408-asa.shtml. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. The crafted TCP packet DoS vulnerability was discovered and reported to Cisco by Gregory W. MacPherson and Robert J. Combo from Verizon Business. The ACL bypass vulnerability was reported to Cisco by Jon Ramsey and Jeff Jarmoc from SecureWorks. The Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities, and welcomes the opportunity to review and assist in product reports. All other vulnerabilities were found during internal testing and during the resolution of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-April-08 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Apr 08, 2009 Document ID: 109974 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkncyUMACgkQ86n/Gc8U/uBS1ACeP7Toj7XSKuo/eaLfK6K4Gqzc Q8EAn2anUwiQH4xV5NoNVt+3JiKn2LXQ =Xi7D -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. SOLUTION: Update to the fixed versions (please see the vendor advisory for patch information). PROVIDED AND/OR DISCOVERED BY: 3) The vendor credits Gregory W. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml OTHER REFERENCES: http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) 5500 Series devices 8.0 before 8.0(4)25 and 8.1 before 8.1(2)15, when an SSL VPN or ASDM access is configured, allows remote attackers to cause a denial of service (device reload) via a crafted (1) SSL or (2) HTTP packet. Cisco PIX Security Appliance and ASA 5500 Series Adaptive Security Appliance are prone to multiple denial-of-service vulnerabilities, an ACL-bypass vulnerability, and an authentication-bypass vulnerability. Remote attackers can exploit these issues to cause an affected device to reload, to force network traffic to bypass ACL rules, or to gain unauthorized access to an affected device. Successful exploits may facilitate further attacks. These issues are documented by the following Cisco Bug IDs: CSCsx47543 further documents the issue tracked by CVE-2009-1155. CSCsv52239 further documents the issue tracked by CVE-2009-1156. CSCsy22484 further documents the issue tracked by CVE-2009-1157. CSCsx32675 further documents the issue tracked by CVE-2009-1158. CSCsw51809 further documents the issue tracked by CVE-2009-1159. CSCsq91277 further documents the issue tracked by CVE-2009-1160. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml. Affected Products ================= Vulnerable Products +------------------ The following is a list of the products affected by each vulnerability as described in detail within this advisory. Note: The Override Account Disabled feature was introduced in Cisco ASA software version 7.1(1). This feature is disabled by default. Only Cisco ASA software versions 8.0 and 8.1 are affected by this vulnerability. H.323 inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability. SQL*Net inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected by this vulnerability. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this vulnerability. Determination of Software Versions +--------------------------------- The "show version" command-line interface (CLI) command can be used to determine whether a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA Adaptive Security Appliance that runs software version 8.0(4): ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) <output truncated> The following example shows a Cisco PIX security appliance that runs software version 8.0(4): PIX#show version Cisco PIX Security Appliance Software Version 8.0(4) Device Manager Version 5.2(3) <output truncated> Customers who use Cisco ASDM to manage their devices can find the software version displayed in the table in the login window or in the upper left corner of the ASDM window. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers and Cisco VPN 3000 Series Concentrators are not affected by any of these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. However, the user must provide the correct credentials in order to login to the VPN. Note: The override account feature was introduced in Cisco ASA software version 7.1(1). The override account feature is enabled with the "override-account-disable" command in "tunnel-group general-attributes" configuration mode, as shown in the following example. The following example allows overriding the "account-disabled" indicator from the AAA server for the WebVPN tunnel group "testgroup": hostname(config)#tunnel-group testgroup type webvpn hostname(config)#tunnel-group testgroup general-attributes hostname(config-tunnel-general)#override-account-disable Note: The override account feature is disabled by default. This vulnerability can also be triggered to any interface where ASDM access is enabled. A successful attack may result in a reload of the device. A TCP three-way handshake is not needed to exploit this vulnerability. Crafted TCP Packet DoS Vulnerability +----------------------------------- A crafted TCP packet may cause a memory leak on a Cisco ASA or Cisco PIX device. A successful attack may result in a sustained DoS condition. The vulnerability may also be triggered via transient traffic only if the TCP intercept features has been enabled. A TCP three-way handshake is not needed to exploit this vulnerability. H.323 inspection is enabled by default. A successful attack may result in a reload of the device. A TCP three-way handshake is not needed to exploit this vulnerability. SQL*Net inspection is enabled by default. A successful attack may result in a reload of the device. The default port assignment for SQL*Net is TCP port 1521. This is the value used by Oracle for SQL*Net. Please note the "class-map" command can be used in the Cisco ASA or Cisco PIX to apply SQL*Net inspection to a range of different port numbers. A TCP three-way handshake is needed to exploit this vulnerability. The requirement of a TCP three way handshake significantly reduces the possibility of exploitation using packets with spoofed source addresses. Access Control List Bypass Vulnerability +--------------------------------------- Access lists have an implicit deny behavior that is applied to packets that have not matched any of the permit or deny ACEs in an ACL and reach the end of the ACL. This implicit deny is there by design, does not require any configuration and can be understood as an implicit ACE that denies all traffic reaching the end of the ACL. A vulnerability exists in the Cisco ASA and Cisco PIX that may allow traffic to bypass the implicit deny ACE. Note: This behavior only impacts the implicit deny statement on any ACL applied on the device. Access control lists with explicit deny statements are not affected by this vulnerability. This vulnerability is experienced in very rare occasions and extremely hard to reproduce. You can trace the lifespan of a packet through the security appliance to see whether the packet is operating correctly with the packet tracer tool. The "packet-tracer" command provides detailed information about the packets and how they are processed by the security appliance. If a command from the configuration did not cause the packet to drop, the "packet-tracer" command will provide information about the cause in an easily readable manner. You can use this feature to see if the implicit deny on an ACL is not taking effect. The following example shows that the implicit deny is bypassed (result = ALLOW): <output truncated> ... Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1a09d350, priority=1, domain=permit, deny=false hits=1144595557, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 <output truncated> This vulnerability is documented in Cisco Bug ID CSCsq91277 and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1160. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * AAA account-override-ignore allows VPN session without correct password (CSCsx47543) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.8 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may crash with certain HTTP packets (CSCsv52239) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may crash after processing certain TCP packets (CSCsy22484) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crafted H.323 packet may cause ASA to reload (CSCsx32675) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * sqlnet traffic causes traceback with inspection configured (CSCsw51809) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * ACL Misbehavior in Cisco ASA (CSCsq91277) CVSS Base Score - 4.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 3.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the VPN Authentication Bypass when Account Override Feature is Used vulnerability may allow an attacker to successfully connect to the Cisco ASA via remote access IPSec or SSL-based VPN. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the ACL bypass vulnerability may allow an attacker to access resources that should be protected by the Cisco ASA. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following table contains the first fixed software release of each vulnerability. The "Recommended Release" row indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a version of the given release in a specific row (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Release" row of the table. +------------------------------------------------------+ | | Affected | First | Recommended | | Vulnerability | Release | Fixed | Release | | | | Version | | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | VPN | | vulnerable | | |Authentication |----------+------------+-------------| | Bypass when | 7.1 | 7.1(2)82 | 7.1(2)82 | |Account |----------+------------+-------------| | Override | 7.2 | 7.2(4)27 | 7.2(4)30 | |Feature is |----------+------------+-------------| | Used | 8.0 | 8.0(4)25 | 8.0(4)28 | |Vulnerability |----------+------------+-------------| | | 8.1 | 8.1(2)15 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | | | vulnerable | | | |----------+------------+-------------| | | 7.1 | Not | 7.1(2)82 | | Crafted HTTP | | vulnerable | | |packet DoS |----------+------------+-------------| | Vulnerability | 7.2 | Not | 7.2(4)30 | | | | vulnerable | | | |----------+------------+-------------| | | 8.0 | 8.0(4)25 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)15 | 8.1(2)16 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)6 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)82 | 7.1(2)82 | |Crafted TCP |----------+------------+-------------| | Packet DoS | 7.2 | 7.2(4)30 | 7.2(4)30 | |Vulnerability |----------+------------+-------------| | | 8.0 | 8.0(4)28 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)19 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)6 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)82 | 7.1(2)82 | |Crafted H.323 |----------+------------+-------------| | packet DoS | 7.2 | 7.2(4)26 | 7.2(4)30 | |Vulnerability |----------+------------+-------------| | | 8.0 | 8.0(4)24 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)14 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | | | vulnerable | | | |----------+------------+-------------| | | 7.1 | Not | 7.1(2)82 | | Crafted SQL | | vulnerable | | |packet DoS |----------+------------+-------------| | vulnerability | 7.2 | 7.2(4)26 | 7.2(4)30 | | |----------+------------+-------------| | | 8.0 | 8.0(4)22 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)12 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)1 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)74 | 7.1(2)82 | |Access control |----------+------------+-------------| | list (ACL) | 7.2 | 7.2(4)9 | 7.2(4)30 | |bypass |----------+------------+-------------| | vulnerability | 8.0 | 8.0(4)5 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | Not | 8.1(2)19 | | | | vulnerable | | +------------------------------------------------------+ Fixed Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT Fixed Cisco PIX software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. VPN Authentication Bypass Vulnerability +-------------------------------------- The override account feature is enabled with the "override-account-disable" command in "tunnel-group general-attributes" configuration mode. As a workaround, disable this feature using the "no override-account-disable" command. Note: IPSec clients are not vulnerable to this vulnerability. If SSL VPN (clientless or client-based) is not used, administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the "http" command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration: hostname(config)# http 192.168.1.100 255.255.255.255 Crafted TCP Packet DoS Vulnerability +----------------------------------- There are no workarounds for this vulnerability. Crafted H.323 Packet DoS Vulnerability +------------------------------------- H.323 inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. H.323 inspection can be disabled with the command "no inspect h323". SQL*Net Packet DoS Vulnerability +------------------------------- SQL*Net inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. SQL*Net inspection can be disabled with the command "no inspect sqlnet". Access Control List (ACL) Bypass Vulnerability +--------------------------------------------- As a workaround, remove the "access-group" line applied on the interface where the ACL is configured and re-apply it. For example: ASA(config)#no access-group acl-inside in interface inside ASA(config)#access-group acl-inside in interface inside In the previous example the access group called "acl-inside" is removed and reapplied to the inside interface. Alternatively, you can add an explicit "deny ip any any" line in the bottom of the ACL applied on that interface. For example: ASA(config)#access-list 100 deny ip any any In the previous example, an explicit deny for all IP traffic is added at the end of "access-list 100". Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090408-asa.shtml. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. The crafted TCP packet DoS vulnerability was discovered and reported to Cisco by Gregory W. MacPherson and Robert J. Combo from Verizon Business. The ACL bypass vulnerability was reported to Cisco by Jon Ramsey and Jeff Jarmoc from SecureWorks. The Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities, and welcomes the opportunity to review and assist in product reports. All other vulnerabilities were found during internal testing and during the resolution of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-April-08 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Apr 08, 2009 Document ID: 109974 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkncyUMACgkQ86n/Gc8U/uBS1ACeP7Toj7XSKuo/eaLfK6K4Gqzc Q8EAn2anUwiQH4xV5NoNVt+3JiKn2LXQ =Xi7D -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. SOLUTION: Update to the fixed versions (please see the vendor advisory for patch information). PROVIDED AND/OR DISCOVERED BY: 3) The vendor credits Gregory W. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml OTHER REFERENCES: http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Memory leak on Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances 7.0 before 7.0(8)6, 7.1 before 7.1(2)82, 7.2 before 7.2(4)30, 8.0 before 8.0(4)28, and 8.1 before 8.1(2)19 allows remote attackers to cause a denial of service (memory consumption or device reload) via a crafted TCP packet. Remote attackers can exploit these issues to cause an affected device to reload, to force network traffic to bypass ACL rules, or to gain unauthorized access to an affected device. Successful exploits may facilitate further attacks. These issues are documented by the following Cisco Bug IDs: CSCsx47543 further documents the issue tracked by CVE-2009-1155. CSCsv52239 further documents the issue tracked by CVE-2009-1156. CSCsy22484 further documents the issue tracked by CVE-2009-1157. CSCsx32675 further documents the issue tracked by CVE-2009-1158. CSCsw51809 further documents the issue tracked by CVE-2009-1159. CSCsq91277 further documents the issue tracked by CVE-2009-1160. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml. Affected Products ================= Vulnerable Products +------------------ The following is a list of the products affected by each vulnerability as described in detail within this advisory. VPN Authentication Bypass Vulnerability +-------------------------------------- Cisco ASA or Cisco PIX security appliances that are configured for IPsec or SSL-based remote access VPN and have the Override Account Disabled feature enabled are affected by this vulnerability. Note: The Override Account Disabled feature was introduced in Cisco ASA software version 7.1(1). This feature is disabled by default. Only Cisco ASA software versions 8.0 and 8.1 are affected by this vulnerability. H.323 inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability. SQL*Net inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected by this vulnerability. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this vulnerability. Determination of Software Versions +--------------------------------- The "show version" command-line interface (CLI) command can be used to determine whether a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA Adaptive Security Appliance that runs software version 8.0(4): ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) <output truncated> The following example shows a Cisco PIX security appliance that runs software version 8.0(4): PIX#show version Cisco PIX Security Appliance Software Version 8.0(4) Device Manager Version 5.2(3) <output truncated> Customers who use Cisco ASDM to manage their devices can find the software version displayed in the table in the login window or in the upper left corner of the ASDM window. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers and Cisco VPN 3000 Series Concentrators are not affected by any of these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. However, the user must provide the correct credentials in order to login to the VPN. Note: The override account feature was introduced in Cisco ASA software version 7.1(1). The override account feature is enabled with the "override-account-disable" command in "tunnel-group general-attributes" configuration mode, as shown in the following example. The following example allows overriding the "account-disabled" indicator from the AAA server for the WebVPN tunnel group "testgroup": hostname(config)#tunnel-group testgroup type webvpn hostname(config)#tunnel-group testgroup general-attributes hostname(config-tunnel-general)#override-account-disable Note: The override account feature is disabled by default. Crafted HTTP Packet DoS Vulnerability +------------------------------------ A crafted SSL or HTTP packet may cause a DoS condition on a Cisco ASA device that is configured to terminate SSL VPN connections. This vulnerability can also be triggered to any interface where ASDM access is enabled. A successful attack may result in a reload of the device. A TCP three-way handshake is not needed to exploit this vulnerability. A successful attack may result in a sustained DoS condition. A Cisco ASA device configured for any of the following features is affected: * SSL VPNs * ASDM Administrative Access * Telnet Access * SSH Access * cTCP for Remote Access VPNs * Virtual Telnet * Virtual HTTP * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access * TCP Intercept Note: This vulnerability may be triggered when crafted packets are sent to any TCP based service that terminates on the affected device. The vulnerability may also be triggered via transient traffic only if the TCP intercept features has been enabled. A TCP three-way handshake is not needed to exploit this vulnerability. Crafted H.323 Packet DoS Vulnerability +------------------------------------- A crafted H.323 packet may cause a DoS condition on a Cisco ASA device that is configured with H.323 inspection. H.323 inspection is enabled by default. A successful attack may result in a reload of the device. A TCP three-way handshake is not needed to exploit this vulnerability. SQL*Net inspection is enabled by default. A successful attack may result in a reload of the device. The default port assignment for SQL*Net is TCP port 1521. This is the value used by Oracle for SQL*Net. Please note the "class-map" command can be used in the Cisco ASA or Cisco PIX to apply SQL*Net inspection to a range of different port numbers. A TCP three-way handshake is needed to exploit this vulnerability. The requirement of a TCP three way handshake significantly reduces the possibility of exploitation using packets with spoofed source addresses. Access Control List Bypass Vulnerability +--------------------------------------- Access lists have an implicit deny behavior that is applied to packets that have not matched any of the permit or deny ACEs in an ACL and reach the end of the ACL. This implicit deny is there by design, does not require any configuration and can be understood as an implicit ACE that denies all traffic reaching the end of the ACL. A vulnerability exists in the Cisco ASA and Cisco PIX that may allow traffic to bypass the implicit deny ACE. Note: This behavior only impacts the implicit deny statement on any ACL applied on the device. Access control lists with explicit deny statements are not affected by this vulnerability. This vulnerability is experienced in very rare occasions and extremely hard to reproduce. You can trace the lifespan of a packet through the security appliance to see whether the packet is operating correctly with the packet tracer tool. The "packet-tracer" command provides detailed information about the packets and how they are processed by the security appliance. If a command from the configuration did not cause the packet to drop, the "packet-tracer" command will provide information about the cause in an easily readable manner. You can use this feature to see if the implicit deny on an ACL is not taking effect. The following example shows that the implicit deny is bypassed (result = ALLOW): <output truncated> ... Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1a09d350, priority=1, domain=permit, deny=false hits=1144595557, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 <output truncated> This vulnerability is documented in Cisco Bug ID CSCsq91277 and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1160. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * AAA account-override-ignore allows VPN session without correct password (CSCsx47543) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.8 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may crash with certain HTTP packets (CSCsv52239) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may crash after processing certain TCP packets (CSCsy22484) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crafted H.323 packet may cause ASA to reload (CSCsx32675) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * sqlnet traffic causes traceback with inspection configured (CSCsw51809) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * ACL Misbehavior in Cisco ASA (CSCsq91277) CVSS Base Score - 4.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 3.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the VPN Authentication Bypass when Account Override Feature is Used vulnerability may allow an attacker to successfully connect to the Cisco ASA via remote access IPSec or SSL-based VPN. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the ACL bypass vulnerability may allow an attacker to access resources that should be protected by the Cisco ASA. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following table contains the first fixed software release of each vulnerability. The "Recommended Release" row indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a version of the given release in a specific row (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Release" row of the table. +------------------------------------------------------+ | | Affected | First | Recommended | | Vulnerability | Release | Fixed | Release | | | | Version | | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | VPN | | vulnerable | | |Authentication |----------+------------+-------------| | Bypass when | 7.1 | 7.1(2)82 | 7.1(2)82 | |Account |----------+------------+-------------| | Override | 7.2 | 7.2(4)27 | 7.2(4)30 | |Feature is |----------+------------+-------------| | Used | 8.0 | 8.0(4)25 | 8.0(4)28 | |Vulnerability |----------+------------+-------------| | | 8.1 | 8.1(2)15 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | | | vulnerable | | | |----------+------------+-------------| | | 7.1 | Not | 7.1(2)82 | | Crafted HTTP | | vulnerable | | |packet DoS |----------+------------+-------------| | Vulnerability | 7.2 | Not | 7.2(4)30 | | | | vulnerable | | | |----------+------------+-------------| | | 8.0 | 8.0(4)25 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)15 | 8.1(2)16 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)6 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)82 | 7.1(2)82 | |Crafted TCP |----------+------------+-------------| | Packet DoS | 7.2 | 7.2(4)30 | 7.2(4)30 | |Vulnerability |----------+------------+-------------| | | 8.0 | 8.0(4)28 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)19 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)6 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)82 | 7.1(2)82 | |Crafted H.323 |----------+------------+-------------| | packet DoS | 7.2 | 7.2(4)26 | 7.2(4)30 | |Vulnerability |----------+------------+-------------| | | 8.0 | 8.0(4)24 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)14 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | | | vulnerable | | | |----------+------------+-------------| | | 7.1 | Not | 7.1(2)82 | | Crafted SQL | | vulnerable | | |packet DoS |----------+------------+-------------| | vulnerability | 7.2 | 7.2(4)26 | 7.2(4)30 | | |----------+------------+-------------| | | 8.0 | 8.0(4)22 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)12 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)1 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)74 | 7.1(2)82 | |Access control |----------+------------+-------------| | list (ACL) | 7.2 | 7.2(4)9 | 7.2(4)30 | |bypass |----------+------------+-------------| | vulnerability | 8.0 | 8.0(4)5 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | Not | 8.1(2)19 | | | | vulnerable | | +------------------------------------------------------+ Fixed Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT Fixed Cisco PIX software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. VPN Authentication Bypass Vulnerability +-------------------------------------- The override account feature is enabled with the "override-account-disable" command in "tunnel-group general-attributes" configuration mode. As a workaround, disable this feature using the "no override-account-disable" command. Crafted HTTP Packet DoS Vulnerability +------------------------------------ Devices configured for SSL VPN (clientless or client-based) or accepting ASDM management connections are vulnerable. Note: IPSec clients are not vulnerable to this vulnerability. If SSL VPN (clientless or client-based) is not used, administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the "http" command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration: hostname(config)# http 192.168.1.100 255.255.255.255 Crafted TCP Packet DoS Vulnerability +----------------------------------- There are no workarounds for this vulnerability. Crafted H.323 Packet DoS Vulnerability +------------------------------------- H.323 inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. H.323 inspection can be disabled with the command "no inspect h323". SQL*Net Packet DoS Vulnerability +------------------------------- SQL*Net inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. SQL*Net inspection can be disabled with the command "no inspect sqlnet". Access Control List (ACL) Bypass Vulnerability +--------------------------------------------- As a workaround, remove the "access-group" line applied on the interface where the ACL is configured and re-apply it. For example: ASA(config)#no access-group acl-inside in interface inside ASA(config)#access-group acl-inside in interface inside In the previous example the access group called "acl-inside" is removed and reapplied to the inside interface. Alternatively, you can add an explicit "deny ip any any" line in the bottom of the ACL applied on that interface. For example: ASA(config)#access-list 100 deny ip any any In the previous example, an explicit deny for all IP traffic is added at the end of "access-list 100". Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090408-asa.shtml. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. The crafted TCP packet DoS vulnerability was discovered and reported to Cisco by Gregory W. MacPherson and Robert J. Combo from Verizon Business. The ACL bypass vulnerability was reported to Cisco by Jon Ramsey and Jeff Jarmoc from SecureWorks. The Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities, and welcomes the opportunity to review and assist in product reports. All other vulnerabilities were found during internal testing and during the resolution of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-April-08 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Apr 08, 2009 Document ID: 109974 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkncyUMACgkQ86n/Gc8U/uBS1ACeP7Toj7XSKuo/eaLfK6K4Gqzc Q8EAn2anUwiQH4xV5NoNVt+3JiKn2LXQ =Xi7D -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. SOLUTION: Update to the fixed versions (please see the vendor advisory for patch information). PROVIDED AND/OR DISCOVERED BY: 3) The vendor credits Gregory W. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml OTHER REFERENCES: http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) 5500 Series devices 7.0 before 7.0(8)6, 7.1 before 7.1(2)82, 7.2 before 7.2(4)26, 8.0 before 8.0(4)24, and 8.1 before 8.1(2)14, when H.323 inspection is enabled, allows remote attackers to cause a denial of service (device reload) via a crafted H.323 packet. Remote attackers can exploit these issues to cause an affected device to reload, to force network traffic to bypass ACL rules, or to gain unauthorized access to an affected device. Successful exploits may facilitate further attacks. These issues are documented by the following Cisco Bug IDs: CSCsx47543 further documents the issue tracked by CVE-2009-1155. CSCsv52239 further documents the issue tracked by CVE-2009-1156. CSCsy22484 further documents the issue tracked by CVE-2009-1157. CSCsx32675 further documents the issue tracked by CVE-2009-1158. CSCsw51809 further documents the issue tracked by CVE-2009-1159. CSCsq91277 further documents the issue tracked by CVE-2009-1160. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml. Affected Products ================= Vulnerable Products +------------------ The following is a list of the products affected by each vulnerability as described in detail within this advisory. Note: The Override Account Disabled feature was introduced in Cisco ASA software version 7.1(1). This feature is disabled by default. Only Cisco ASA software versions 8.0 and 8.1 are affected by this vulnerability. H.323 inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability. SQL*Net inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected by this vulnerability. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this vulnerability. Determination of Software Versions +--------------------------------- The "show version" command-line interface (CLI) command can be used to determine whether a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA Adaptive Security Appliance that runs software version 8.0(4): ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) <output truncated> The following example shows a Cisco PIX security appliance that runs software version 8.0(4): PIX#show version Cisco PIX Security Appliance Software Version 8.0(4) Device Manager Version 5.2(3) <output truncated> Customers who use Cisco ASDM to manage their devices can find the software version displayed in the table in the login window or in the upper left corner of the ASDM window. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers and Cisco VPN 3000 Series Concentrators are not affected by any of these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. However, the user must provide the correct credentials in order to login to the VPN. Note: The override account feature was introduced in Cisco ASA software version 7.1(1). The override account feature is enabled with the "override-account-disable" command in "tunnel-group general-attributes" configuration mode, as shown in the following example. The following example allows overriding the "account-disabled" indicator from the AAA server for the WebVPN tunnel group "testgroup": hostname(config)#tunnel-group testgroup type webvpn hostname(config)#tunnel-group testgroup general-attributes hostname(config-tunnel-general)#override-account-disable Note: The override account feature is disabled by default. Crafted HTTP Packet DoS Vulnerability +------------------------------------ A crafted SSL or HTTP packet may cause a DoS condition on a Cisco ASA device that is configured to terminate SSL VPN connections. This vulnerability can also be triggered to any interface where ASDM access is enabled. A successful attack may result in a reload of the device. A TCP three-way handshake is not needed to exploit this vulnerability. Crafted TCP Packet DoS Vulnerability +----------------------------------- A crafted TCP packet may cause a memory leak on a Cisco ASA or Cisco PIX device. A successful attack may result in a sustained DoS condition. A Cisco ASA device configured for any of the following features is affected: * SSL VPNs * ASDM Administrative Access * Telnet Access * SSH Access * cTCP for Remote Access VPNs * Virtual Telnet * Virtual HTTP * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access * TCP Intercept Note: This vulnerability may be triggered when crafted packets are sent to any TCP based service that terminates on the affected device. The vulnerability may also be triggered via transient traffic only if the TCP intercept features has been enabled. A TCP three-way handshake is not needed to exploit this vulnerability. H.323 inspection is enabled by default. A successful attack may result in a reload of the device. A TCP three-way handshake is not needed to exploit this vulnerability. SQL*Net inspection is enabled by default. A successful attack may result in a reload of the device. The default port assignment for SQL*Net is TCP port 1521. This is the value used by Oracle for SQL*Net. Please note the "class-map" command can be used in the Cisco ASA or Cisco PIX to apply SQL*Net inspection to a range of different port numbers. A TCP three-way handshake is needed to exploit this vulnerability. The requirement of a TCP three way handshake significantly reduces the possibility of exploitation using packets with spoofed source addresses. Access Control List Bypass Vulnerability +--------------------------------------- Access lists have an implicit deny behavior that is applied to packets that have not matched any of the permit or deny ACEs in an ACL and reach the end of the ACL. This implicit deny is there by design, does not require any configuration and can be understood as an implicit ACE that denies all traffic reaching the end of the ACL. A vulnerability exists in the Cisco ASA and Cisco PIX that may allow traffic to bypass the implicit deny ACE. Note: This behavior only impacts the implicit deny statement on any ACL applied on the device. Access control lists with explicit deny statements are not affected by this vulnerability. This vulnerability is experienced in very rare occasions and extremely hard to reproduce. You can trace the lifespan of a packet through the security appliance to see whether the packet is operating correctly with the packet tracer tool. The "packet-tracer" command provides detailed information about the packets and how they are processed by the security appliance. If a command from the configuration did not cause the packet to drop, the "packet-tracer" command will provide information about the cause in an easily readable manner. You can use this feature to see if the implicit deny on an ACL is not taking effect. The following example shows that the implicit deny is bypassed (result = ALLOW): <output truncated> ... Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1a09d350, priority=1, domain=permit, deny=false hits=1144595557, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 <output truncated> This vulnerability is documented in Cisco Bug ID CSCsq91277 and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1160. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * AAA account-override-ignore allows VPN session without correct password (CSCsx47543) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.8 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may crash with certain HTTP packets (CSCsv52239) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may crash after processing certain TCP packets (CSCsy22484) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crafted H.323 packet may cause ASA to reload (CSCsx32675) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * sqlnet traffic causes traceback with inspection configured (CSCsw51809) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * ACL Misbehavior in Cisco ASA (CSCsq91277) CVSS Base Score - 4.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 3.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the VPN Authentication Bypass when Account Override Feature is Used vulnerability may allow an attacker to successfully connect to the Cisco ASA via remote access IPSec or SSL-based VPN. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the ACL bypass vulnerability may allow an attacker to access resources that should be protected by the Cisco ASA. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following table contains the first fixed software release of each vulnerability. The "Recommended Release" row indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a version of the given release in a specific row (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Release" row of the table. +------------------------------------------------------+ | | Affected | First | Recommended | | Vulnerability | Release | Fixed | Release | | | | Version | | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | VPN | | vulnerable | | |Authentication |----------+------------+-------------| | Bypass when | 7.1 | 7.1(2)82 | 7.1(2)82 | |Account |----------+------------+-------------| | Override | 7.2 | 7.2(4)27 | 7.2(4)30 | |Feature is |----------+------------+-------------| | Used | 8.0 | 8.0(4)25 | 8.0(4)28 | |Vulnerability |----------+------------+-------------| | | 8.1 | 8.1(2)15 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | | | vulnerable | | | |----------+------------+-------------| | | 7.1 | Not | 7.1(2)82 | | Crafted HTTP | | vulnerable | | |packet DoS |----------+------------+-------------| | Vulnerability | 7.2 | Not | 7.2(4)30 | | | | vulnerable | | | |----------+------------+-------------| | | 8.0 | 8.0(4)25 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)15 | 8.1(2)16 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)6 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)82 | 7.1(2)82 | |Crafted TCP |----------+------------+-------------| | Packet DoS | 7.2 | 7.2(4)30 | 7.2(4)30 | |Vulnerability |----------+------------+-------------| | | 8.0 | 8.0(4)28 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)19 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)6 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)82 | 7.1(2)82 | |Crafted H.323 |----------+------------+-------------| | packet DoS | 7.2 | 7.2(4)26 | 7.2(4)30 | |Vulnerability |----------+------------+-------------| | | 8.0 | 8.0(4)24 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)14 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | | | vulnerable | | | |----------+------------+-------------| | | 7.1 | Not | 7.1(2)82 | | Crafted SQL | | vulnerable | | |packet DoS |----------+------------+-------------| | vulnerability | 7.2 | 7.2(4)26 | 7.2(4)30 | | |----------+------------+-------------| | | 8.0 | 8.0(4)22 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)12 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)1 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)74 | 7.1(2)82 | |Access control |----------+------------+-------------| | list (ACL) | 7.2 | 7.2(4)9 | 7.2(4)30 | |bypass |----------+------------+-------------| | vulnerability | 8.0 | 8.0(4)5 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | Not | 8.1(2)19 | | | | vulnerable | | +------------------------------------------------------+ Fixed Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT Fixed Cisco PIX software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. VPN Authentication Bypass Vulnerability +-------------------------------------- The override account feature is enabled with the "override-account-disable" command in "tunnel-group general-attributes" configuration mode. As a workaround, disable this feature using the "no override-account-disable" command. Crafted HTTP Packet DoS Vulnerability +------------------------------------ Devices configured for SSL VPN (clientless or client-based) or accepting ASDM management connections are vulnerable. Note: IPSec clients are not vulnerable to this vulnerability. If SSL VPN (clientless or client-based) is not used, administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the "http" command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration: hostname(config)# http 192.168.1.100 255.255.255.255 Crafted TCP Packet DoS Vulnerability +----------------------------------- There are no workarounds for this vulnerability. Crafted H.323 Packet DoS Vulnerability +------------------------------------- H.323 inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. H.323 inspection can be disabled with the command "no inspect h323". SQL*Net Packet DoS Vulnerability +------------------------------- SQL*Net inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. SQL*Net inspection can be disabled with the command "no inspect sqlnet". Access Control List (ACL) Bypass Vulnerability +--------------------------------------------- As a workaround, remove the "access-group" line applied on the interface where the ACL is configured and re-apply it. For example: ASA(config)#no access-group acl-inside in interface inside ASA(config)#access-group acl-inside in interface inside In the previous example the access group called "acl-inside" is removed and reapplied to the inside interface. Alternatively, you can add an explicit "deny ip any any" line in the bottom of the ACL applied on that interface. For example: ASA(config)#access-list 100 deny ip any any In the previous example, an explicit deny for all IP traffic is added at the end of "access-list 100". Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090408-asa.shtml. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. The crafted TCP packet DoS vulnerability was discovered and reported to Cisco by Gregory W. MacPherson and Robert J. Combo from Verizon Business. The ACL bypass vulnerability was reported to Cisco by Jon Ramsey and Jeff Jarmoc from SecureWorks. The Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities, and welcomes the opportunity to review and assist in product reports. All other vulnerabilities were found during internal testing and during the resolution of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-April-08 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Apr 08, 2009 Document ID: 109974 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkncyUMACgkQ86n/Gc8U/uBS1ACeP7Toj7XSKuo/eaLfK6K4Gqzc Q8EAn2anUwiQH4xV5NoNVt+3JiKn2LXQ =Xi7D -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. SOLUTION: Update to the fixed versions (please see the vendor advisory for patch information). PROVIDED AND/OR DISCOVERED BY: 3) The vendor credits Gregory W. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml OTHER REFERENCES: http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances 7.2 before 7.2(4)26, 8.0 before 8.0(4)22, and 8.1 before 8.1(2)12, when SQL*Net inspection is enabled, allows remote attackers to cause a denial of service (traceback and device reload) via a series of SQL*Net packets. Remote attackers can exploit these issues to cause an affected device to reload, to force network traffic to bypass ACL rules, or to gain unauthorized access to an affected device. Successful exploits may facilitate further attacks. These issues are documented by the following Cisco Bug IDs: CSCsx47543 further documents the issue tracked by CVE-2009-1155. CSCsv52239 further documents the issue tracked by CVE-2009-1156. CSCsy22484 further documents the issue tracked by CVE-2009-1157. CSCsx32675 further documents the issue tracked by CVE-2009-1158. CSCsw51809 further documents the issue tracked by CVE-2009-1159. CSCsq91277 further documents the issue tracked by CVE-2009-1160. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml. Affected Products ================= Vulnerable Products +------------------ The following is a list of the products affected by each vulnerability as described in detail within this advisory. Note: The Override Account Disabled feature was introduced in Cisco ASA software version 7.1(1). This feature is disabled by default. Only Cisco ASA software versions 8.0 and 8.1 are affected by this vulnerability. H.323 inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability. SQL*Net inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected by this vulnerability. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this vulnerability. Determination of Software Versions +--------------------------------- The "show version" command-line interface (CLI) command can be used to determine whether a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA Adaptive Security Appliance that runs software version 8.0(4): ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) <output truncated> The following example shows a Cisco PIX security appliance that runs software version 8.0(4): PIX#show version Cisco PIX Security Appliance Software Version 8.0(4) Device Manager Version 5.2(3) <output truncated> Customers who use Cisco ASDM to manage their devices can find the software version displayed in the table in the login window or in the upper left corner of the ASDM window. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers and Cisco VPN 3000 Series Concentrators are not affected by any of these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. However, the user must provide the correct credentials in order to login to the VPN. Note: The override account feature was introduced in Cisco ASA software version 7.1(1). The override account feature is enabled with the "override-account-disable" command in "tunnel-group general-attributes" configuration mode, as shown in the following example. The following example allows overriding the "account-disabled" indicator from the AAA server for the WebVPN tunnel group "testgroup": hostname(config)#tunnel-group testgroup type webvpn hostname(config)#tunnel-group testgroup general-attributes hostname(config-tunnel-general)#override-account-disable Note: The override account feature is disabled by default. Crafted HTTP Packet DoS Vulnerability +------------------------------------ A crafted SSL or HTTP packet may cause a DoS condition on a Cisco ASA device that is configured to terminate SSL VPN connections. This vulnerability can also be triggered to any interface where ASDM access is enabled. A successful attack may result in a reload of the device. A TCP three-way handshake is not needed to exploit this vulnerability. Crafted TCP Packet DoS Vulnerability +----------------------------------- A crafted TCP packet may cause a memory leak on a Cisco ASA or Cisco PIX device. A successful attack may result in a sustained DoS condition. A Cisco ASA device configured for any of the following features is affected: * SSL VPNs * ASDM Administrative Access * Telnet Access * SSH Access * cTCP for Remote Access VPNs * Virtual Telnet * Virtual HTTP * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access * TCP Intercept Note: This vulnerability may be triggered when crafted packets are sent to any TCP based service that terminates on the affected device. The vulnerability may also be triggered via transient traffic only if the TCP intercept features has been enabled. A TCP three-way handshake is not needed to exploit this vulnerability. Crafted H.323 Packet DoS Vulnerability +------------------------------------- A crafted H.323 packet may cause a DoS condition on a Cisco ASA device that is configured with H.323 inspection. H.323 inspection is enabled by default. A successful attack may result in a reload of the device. A TCP three-way handshake is not needed to exploit this vulnerability. SQL*Net inspection is enabled by default. A successful attack may result in a reload of the device. The default port assignment for SQL*Net is TCP port 1521. This is the value used by Oracle for SQL*Net. Please note the "class-map" command can be used in the Cisco ASA or Cisco PIX to apply SQL*Net inspection to a range of different port numbers. A TCP three-way handshake is needed to exploit this vulnerability. The requirement of a TCP three way handshake significantly reduces the possibility of exploitation using packets with spoofed source addresses. Access Control List Bypass Vulnerability +--------------------------------------- Access lists have an implicit deny behavior that is applied to packets that have not matched any of the permit or deny ACEs in an ACL and reach the end of the ACL. This implicit deny is there by design, does not require any configuration and can be understood as an implicit ACE that denies all traffic reaching the end of the ACL. A vulnerability exists in the Cisco ASA and Cisco PIX that may allow traffic to bypass the implicit deny ACE. Note: This behavior only impacts the implicit deny statement on any ACL applied on the device. Access control lists with explicit deny statements are not affected by this vulnerability. This vulnerability is experienced in very rare occasions and extremely hard to reproduce. You can trace the lifespan of a packet through the security appliance to see whether the packet is operating correctly with the packet tracer tool. The "packet-tracer" command provides detailed information about the packets and how they are processed by the security appliance. If a command from the configuration did not cause the packet to drop, the "packet-tracer" command will provide information about the cause in an easily readable manner. You can use this feature to see if the implicit deny on an ACL is not taking effect. The following example shows that the implicit deny is bypassed (result = ALLOW): <output truncated> ... Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1a09d350, priority=1, domain=permit, deny=false hits=1144595557, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 <output truncated> This vulnerability is documented in Cisco Bug ID CSCsq91277 and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1160. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * AAA account-override-ignore allows VPN session without correct password (CSCsx47543) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.8 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may crash with certain HTTP packets (CSCsv52239) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may crash after processing certain TCP packets (CSCsy22484) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crafted H.323 packet may cause ASA to reload (CSCsx32675) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * sqlnet traffic causes traceback with inspection configured (CSCsw51809) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * ACL Misbehavior in Cisco ASA (CSCsq91277) CVSS Base Score - 4.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 3.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the VPN Authentication Bypass when Account Override Feature is Used vulnerability may allow an attacker to successfully connect to the Cisco ASA via remote access IPSec or SSL-based VPN. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the ACL bypass vulnerability may allow an attacker to access resources that should be protected by the Cisco ASA. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following table contains the first fixed software release of each vulnerability. The "Recommended Release" row indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a version of the given release in a specific row (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Release" row of the table. +------------------------------------------------------+ | | Affected | First | Recommended | | Vulnerability | Release | Fixed | Release | | | | Version | | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | VPN | | vulnerable | | |Authentication |----------+------------+-------------| | Bypass when | 7.1 | 7.1(2)82 | 7.1(2)82 | |Account |----------+------------+-------------| | Override | 7.2 | 7.2(4)27 | 7.2(4)30 | |Feature is |----------+------------+-------------| | Used | 8.0 | 8.0(4)25 | 8.0(4)28 | |Vulnerability |----------+------------+-------------| | | 8.1 | 8.1(2)15 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | | | vulnerable | | | |----------+------------+-------------| | | 7.1 | Not | 7.1(2)82 | | Crafted HTTP | | vulnerable | | |packet DoS |----------+------------+-------------| | Vulnerability | 7.2 | Not | 7.2(4)30 | | | | vulnerable | | | |----------+------------+-------------| | | 8.0 | 8.0(4)25 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)15 | 8.1(2)16 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)6 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)82 | 7.1(2)82 | |Crafted TCP |----------+------------+-------------| | Packet DoS | 7.2 | 7.2(4)30 | 7.2(4)30 | |Vulnerability |----------+------------+-------------| | | 8.0 | 8.0(4)28 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)19 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)6 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)82 | 7.1(2)82 | |Crafted H.323 |----------+------------+-------------| | packet DoS | 7.2 | 7.2(4)26 | 7.2(4)30 | |Vulnerability |----------+------------+-------------| | | 8.0 | 8.0(4)24 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)14 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | | | vulnerable | | | |----------+------------+-------------| | | 7.1 | Not | 7.1(2)82 | | Crafted SQL | | vulnerable | | |packet DoS |----------+------------+-------------| | vulnerability | 7.2 | 7.2(4)26 | 7.2(4)30 | | |----------+------------+-------------| | | 8.0 | 8.0(4)22 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)12 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)1 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)74 | 7.1(2)82 | |Access control |----------+------------+-------------| | list (ACL) | 7.2 | 7.2(4)9 | 7.2(4)30 | |bypass |----------+------------+-------------| | vulnerability | 8.0 | 8.0(4)5 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | Not | 8.1(2)19 | | | | vulnerable | | +------------------------------------------------------+ Fixed Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT Fixed Cisco PIX software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. VPN Authentication Bypass Vulnerability +-------------------------------------- The override account feature is enabled with the "override-account-disable" command in "tunnel-group general-attributes" configuration mode. As a workaround, disable this feature using the "no override-account-disable" command. Crafted HTTP Packet DoS Vulnerability +------------------------------------ Devices configured for SSL VPN (clientless or client-based) or accepting ASDM management connections are vulnerable. Note: IPSec clients are not vulnerable to this vulnerability. If SSL VPN (clientless or client-based) is not used, administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the "http" command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration: hostname(config)# http 192.168.1.100 255.255.255.255 Crafted TCP Packet DoS Vulnerability +----------------------------------- There are no workarounds for this vulnerability. Crafted H.323 Packet DoS Vulnerability +------------------------------------- H.323 inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. H.323 inspection can be disabled with the command "no inspect h323". SQL*Net Packet DoS Vulnerability +------------------------------- SQL*Net inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. SQL*Net inspection can be disabled with the command "no inspect sqlnet". Access Control List (ACL) Bypass Vulnerability +--------------------------------------------- As a workaround, remove the "access-group" line applied on the interface where the ACL is configured and re-apply it. For example: ASA(config)#no access-group acl-inside in interface inside ASA(config)#access-group acl-inside in interface inside In the previous example the access group called "acl-inside" is removed and reapplied to the inside interface. Alternatively, you can add an explicit "deny ip any any" line in the bottom of the ACL applied on that interface. For example: ASA(config)#access-list 100 deny ip any any In the previous example, an explicit deny for all IP traffic is added at the end of "access-list 100". Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090408-asa.shtml. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. The crafted TCP packet DoS vulnerability was discovered and reported to Cisco by Gregory W. MacPherson and Robert J. Combo from Verizon Business. The ACL bypass vulnerability was reported to Cisco by Jon Ramsey and Jeff Jarmoc from SecureWorks. The Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities, and welcomes the opportunity to review and assist in product reports. All other vulnerabilities were found during internal testing and during the resolution of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-April-08 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Apr 08, 2009 Document ID: 109974 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkncyUMACgkQ86n/Gc8U/uBS1ACeP7Toj7XSKuo/eaLfK6K4Gqzc Q8EAn2anUwiQH4xV5NoNVt+3JiKn2LXQ =Xi7D -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. SOLUTION: Update to the fixed versions (please see the vendor advisory for patch information). PROVIDED AND/OR DISCOVERED BY: 3) The vendor credits Gregory W. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml OTHER REFERENCES: http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances 7.0 before 7.0(8)1, 7.1 before 7.1(2)74, 7.2 before 7.2(4)9, and 8.0 before 8.0(4)5 do not properly implement the implicit deny statement, which might allow remote attackers to successfully send packets that bypass intended access restrictions, aka Bug ID CSCsq91277. Remote attackers can exploit these issues to cause an affected device to reload, to force network traffic to bypass ACL rules, or to gain unauthorized access to an affected device. Successful exploits may facilitate further attacks. These issues are documented by the following Cisco Bug IDs: CSCsx47543 further documents the issue tracked by CVE-2009-1155. CSCsv52239 further documents the issue tracked by CVE-2009-1156. CSCsy22484 further documents the issue tracked by CVE-2009-1157. CSCsx32675 further documents the issue tracked by CVE-2009-1158. CSCsw51809 further documents the issue tracked by CVE-2009-1159. CSCsq91277 further documents the issue tracked by CVE-2009-1160. This implied rejection is a design decision and does not require any configuration. It can be understood as rejecting all unspecified ACEs that reach the end of the ACL. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml. Affected Products ================= Vulnerable Products +------------------ The following is a list of the products affected by each vulnerability as described in detail within this advisory. Note: The Override Account Disabled feature was introduced in Cisco ASA software version 7.1(1). This feature is disabled by default. Only Cisco ASA software versions 8.0 and 8.1 are affected by this vulnerability. Cisco ASA and Cisco PIX security appliances running versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected when configured for any of the following features: * SSL VPNs * ASDM Administrative Access * Telnet Access * SSH Access * Cisco Tunneling Control Protocol (cTCP) for Remote Access VPNs * Virtual Telnet * Virtual HTTP * Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access * TCP Intercept Crafted H.323 Packet DoS Vulnerability +------------------------------------- Cisco ASA and Cisco PIX security appliances may experience a device reload that can be triggered by a series of crafted H.323 packets, when H.323 inspection is enabled. H.323 inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability. SQL*Net inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected by this vulnerability. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this vulnerability. Determination of Software Versions +--------------------------------- The "show version" command-line interface (CLI) command can be used to determine whether a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA Adaptive Security Appliance that runs software version 8.0(4): ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) <output truncated> The following example shows a Cisco PIX security appliance that runs software version 8.0(4): PIX#show version Cisco PIX Security Appliance Software Version 8.0(4) Device Manager Version 5.2(3) <output truncated> Customers who use Cisco ASDM to manage their devices can find the software version displayed in the table in the login window or in the upper left corner of the ASDM window. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers and Cisco VPN 3000 Series Concentrators are not affected by any of these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. However, the user must provide the correct credentials in order to login to the VPN. Note: The override account feature was introduced in Cisco ASA software version 7.1(1). The override account feature is enabled with the "override-account-disable" command in "tunnel-group general-attributes" configuration mode, as shown in the following example. The following example allows overriding the "account-disabled" indicator from the AAA server for the WebVPN tunnel group "testgroup": hostname(config)#tunnel-group testgroup type webvpn hostname(config)#tunnel-group testgroup general-attributes hostname(config-tunnel-general)#override-account-disable Note: The override account feature is disabled by default. Crafted HTTP Packet DoS Vulnerability +------------------------------------ A crafted SSL or HTTP packet may cause a DoS condition on a Cisco ASA device that is configured to terminate SSL VPN connections. This vulnerability can also be triggered to any interface where ASDM access is enabled. A successful attack may result in a reload of the device. A TCP three-way handshake is not needed to exploit this vulnerability. Crafted TCP Packet DoS Vulnerability +----------------------------------- A crafted TCP packet may cause a memory leak on a Cisco ASA or Cisco PIX device. A successful attack may result in a sustained DoS condition. A Cisco ASA device configured for any of the following features is affected: * SSL VPNs * ASDM Administrative Access * Telnet Access * SSH Access * cTCP for Remote Access VPNs * Virtual Telnet * Virtual HTTP * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access * TCP Intercept Note: This vulnerability may be triggered when crafted packets are sent to any TCP based service that terminates on the affected device. The vulnerability may also be triggered via transient traffic only if the TCP intercept features has been enabled. A TCP three-way handshake is not needed to exploit this vulnerability. Crafted H.323 Packet DoS Vulnerability +------------------------------------- A crafted H.323 packet may cause a DoS condition on a Cisco ASA device that is configured with H.323 inspection. H.323 inspection is enabled by default. A successful attack may result in a reload of the device. A TCP three-way handshake is not needed to exploit this vulnerability. A series of SQL*Net packets may cause a denial of service condition on a Cisco ASA and Cisco PIX device that is configured with SQL*Net inspection. SQL*Net inspection is enabled by default. A successful attack may result in a reload of the device. The default port assignment for SQL*Net is TCP port 1521. This is the value used by Oracle for SQL*Net. Please note the "class-map" command can be used in the Cisco ASA or Cisco PIX to apply SQL*Net inspection to a range of different port numbers. A TCP three-way handshake is needed to exploit this vulnerability. The requirement of a TCP three way handshake significantly reduces the possibility of exploitation using packets with spoofed source addresses. Access Control List Bypass Vulnerability +--------------------------------------- Access lists have an implicit deny behavior that is applied to packets that have not matched any of the permit or deny ACEs in an ACL and reach the end of the ACL. This implicit deny is there by design, does not require any configuration and can be understood as an implicit ACE that denies all traffic reaching the end of the ACL. Note: This behavior only impacts the implicit deny statement on any ACL applied on the device. Access control lists with explicit deny statements are not affected by this vulnerability. This vulnerability is experienced in very rare occasions and extremely hard to reproduce. You can trace the lifespan of a packet through the security appliance to see whether the packet is operating correctly with the packet tracer tool. The "packet-tracer" command provides detailed information about the packets and how they are processed by the security appliance. If a command from the configuration did not cause the packet to drop, the "packet-tracer" command will provide information about the cause in an easily readable manner. You can use this feature to see if the implicit deny on an ACL is not taking effect. The following example shows that the implicit deny is bypassed (result = ALLOW): <output truncated> ... Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1a09d350, priority=1, domain=permit, deny=false hits=1144595557, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 <output truncated> This vulnerability is documented in Cisco Bug ID CSCsq91277 and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1160. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * AAA account-override-ignore allows VPN session without correct password (CSCsx47543) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.8 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may crash with certain HTTP packets (CSCsv52239) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may crash after processing certain TCP packets (CSCsy22484) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crafted H.323 packet may cause ASA to reload (CSCsx32675) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * sqlnet traffic causes traceback with inspection configured (CSCsw51809) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * ACL Misbehavior in Cisco ASA (CSCsq91277) CVSS Base Score - 4.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 3.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the VPN Authentication Bypass when Account Override Feature is Used vulnerability may allow an attacker to successfully connect to the Cisco ASA via remote access IPSec or SSL-based VPN. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the ACL bypass vulnerability may allow an attacker to access resources that should be protected by the Cisco ASA. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following table contains the first fixed software release of each vulnerability. The "Recommended Release" row indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a version of the given release in a specific row (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Release" row of the table. +------------------------------------------------------+ | | Affected | First | Recommended | | Vulnerability | Release | Fixed | Release | | | | Version | | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | VPN | | vulnerable | | |Authentication |----------+------------+-------------| | Bypass when | 7.1 | 7.1(2)82 | 7.1(2)82 | |Account |----------+------------+-------------| | Override | 7.2 | 7.2(4)27 | 7.2(4)30 | |Feature is |----------+------------+-------------| | Used | 8.0 | 8.0(4)25 | 8.0(4)28 | |Vulnerability |----------+------------+-------------| | | 8.1 | 8.1(2)15 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | | | vulnerable | | | |----------+------------+-------------| | | 7.1 | Not | 7.1(2)82 | | Crafted HTTP | | vulnerable | | |packet DoS |----------+------------+-------------| | Vulnerability | 7.2 | Not | 7.2(4)30 | | | | vulnerable | | | |----------+------------+-------------| | | 8.0 | 8.0(4)25 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)15 | 8.1(2)16 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)6 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)82 | 7.1(2)82 | |Crafted TCP |----------+------------+-------------| | Packet DoS | 7.2 | 7.2(4)30 | 7.2(4)30 | |Vulnerability |----------+------------+-------------| | | 8.0 | 8.0(4)28 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)19 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)6 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)82 | 7.1(2)82 | |Crafted H.323 |----------+------------+-------------| | packet DoS | 7.2 | 7.2(4)26 | 7.2(4)30 | |Vulnerability |----------+------------+-------------| | | 8.0 | 8.0(4)24 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)14 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | | | vulnerable | | | |----------+------------+-------------| | | 7.1 | Not | 7.1(2)82 | | Crafted SQL | | vulnerable | | |packet DoS |----------+------------+-------------| | vulnerability | 7.2 | 7.2(4)26 | 7.2(4)30 | | |----------+------------+-------------| | | 8.0 | 8.0(4)22 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)12 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)1 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)74 | 7.1(2)82 | |Access control |----------+------------+-------------| | list (ACL) | 7.2 | 7.2(4)9 | 7.2(4)30 | |bypass |----------+------------+-------------| | vulnerability | 8.0 | 8.0(4)5 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | Not | 8.1(2)19 | | | | vulnerable | | +------------------------------------------------------+ Fixed Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT Fixed Cisco PIX software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. VPN Authentication Bypass Vulnerability +-------------------------------------- The override account feature is enabled with the "override-account-disable" command in "tunnel-group general-attributes" configuration mode. As a workaround, disable this feature using the "no override-account-disable" command. Crafted HTTP Packet DoS Vulnerability +------------------------------------ Devices configured for SSL VPN (clientless or client-based) or accepting ASDM management connections are vulnerable. Note: IPSec clients are not vulnerable to this vulnerability. If SSL VPN (clientless or client-based) is not used, administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the "http" command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration: hostname(config)# http 192.168.1.100 255.255.255.255 Crafted TCP Packet DoS Vulnerability +----------------------------------- There are no workarounds for this vulnerability. Crafted H.323 Packet DoS Vulnerability +------------------------------------- H.323 inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. H.323 inspection can be disabled with the command "no inspect h323". SQL*Net Packet DoS Vulnerability +------------------------------- SQL*Net inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. SQL*Net inspection can be disabled with the command "no inspect sqlnet". Access Control List (ACL) Bypass Vulnerability +--------------------------------------------- As a workaround, remove the "access-group" line applied on the interface where the ACL is configured and re-apply it. For example: ASA(config)#no access-group acl-inside in interface inside ASA(config)#access-group acl-inside in interface inside In the previous example the access group called "acl-inside" is removed and reapplied to the inside interface. Alternatively, you can add an explicit "deny ip any any" line in the bottom of the ACL applied on that interface. For example: ASA(config)#access-list 100 deny ip any any In the previous example, an explicit deny for all IP traffic is added at the end of "access-list 100". Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090408-asa.shtml. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. The crafted TCP packet DoS vulnerability was discovered and reported to Cisco by Gregory W. MacPherson and Robert J. Combo from Verizon Business. The ACL bypass vulnerability was reported to Cisco by Jon Ramsey and Jeff Jarmoc from SecureWorks. The Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities, and welcomes the opportunity to review and assist in product reports. All other vulnerabilities were found during internal testing and during the resolution of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-April-08 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Apr 08, 2009 Document ID: 109974 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkncyUMACgkQ86n/Gc8U/uBS1ACeP7Toj7XSKuo/eaLfK6K4Gqzc Q8EAn2anUwiQH4xV5NoNVt+3JiKn2LXQ =Xi7D -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. SOLUTION: Update to the fixed versions (please see the vendor advisory for patch information). PROVIDED AND/OR DISCOVERED BY: 3) The vendor credits Gregory W. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml OTHER REFERENCES: http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

EMC RepliStor Server Service before ESA-09-003 has a DoASOCommand Remote Code Execution Vulnerability. The flaw exists within the DoRcvRpcCall RPC function -exposed via the rep_srv.exe process- where the vulnerability is caused by an error when the rep_srv.exe handles a specially crafted packet sent by an unauthenticated attacker. EMC RepliStor Server Service Contains an unspecified vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. The function responsible for handling opcode 36 calls CreateProcessW with user-supplied arguments. A malicious attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user

Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allows remote attackers to cause a denial of service (device crash) via vectors involving SSL VPN and PPPoE transactions, aka Bug ID CSCsm77958. The problem is Bug ID : CSCsm77958 It is a problem.Service disruption by a third party (DoS) There is a possibility of being put into a state. Cisco ASA 5580 series security appliances are prone to multiple security vulnerabilities. The vulnerabilities include multiple denial-of-service vulnerabilities, multiple buffer-overflow vulnerabilities, authentication-bypass vulnerabilities and a cross-site scripting vulnerability. Exploiting these issues could allow an attacker to deny service to legitimate users, bypass security restrictions and gain unauthorized access, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible. Cisco ASA 5580 series security appliances with software prior to 8.1(2) are vulnerable

Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) complete an SSL handshake with an HTTPS client even if this client is unauthorized, which might allow remote attackers to bypass intended access restrictions via an HTTPS session, aka Bug ID CSCso10876. The problem is Bug ID : CSCso10876 It is a problem.By a third party HTTPS Access restrictions may be bypassed through the session. Cisco ASA 5580 series security appliances are prone to multiple security vulnerabilities. The vulnerabilities include multiple denial-of-service vulnerabilities, multiple buffer-overflow vulnerabilities, authentication-bypass vulnerabilities and a cross-site scripting vulnerability. Exploiting these issues could allow an attacker to deny service to legitimate users, bypass security restrictions and gain unauthorized access, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible. Cisco ASA 5580 series security appliances with software prior to 8.1(2) are vulnerable

The IPv6 implementation on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) exposes IP services on the "far side of the box," which might allow remote attackers to bypass intended access restrictions via IPv6 packets, aka Bug ID CSCso58622. The problem is Bug ID CSCso58622 It is a problem.By a third party IPv6 Access restrictions may be circumvented via packets. Cisco ASA 5580 series security appliances are prone to multiple security vulnerabilities. The vulnerabilities include multiple denial-of-service vulnerabilities, multiple buffer-overflow vulnerabilities, authentication-bypass vulnerabilities and a cross-site scripting vulnerability. Exploiting these issues could allow an attacker to deny service to legitimate users, bypass security restrictions and gain unauthorized access, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible. Cisco ASA 5580 series security appliances with software prior to 8.1(2) are vulnerable

Memory leak on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allows remote attackers to cause a denial of service (memory consumption) via Subject Alternative Name fields in an X.509 certificate, aka Bug ID CSCsq17879. Cisco ASA 5580 series security appliances are prone to multiple security vulnerabilities. The vulnerabilities include multiple denial-of-service vulnerabilities, multiple buffer-overflow vulnerabilities, authentication-bypass vulnerabilities and a cross-site scripting vulnerability. Exploiting these issues could allow an attacker to deny service to legitimate users, bypass security restrictions and gain unauthorized access, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible. Cisco ASA 5580 series security appliances with software prior to 8.1(2) are vulnerable

Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allows remote attackers to cause a denial of service (device reload) via unknown network traffic, as demonstrated by a "connection stress test," aka Bug ID CSCsq68451. Cisco ASA 5580 series security appliances are prone to multiple security vulnerabilities. The vulnerabilities include multiple denial-of-service vulnerabilities, multiple buffer-overflow vulnerabilities, authentication-bypass vulnerabilities and a cross-site scripting vulnerability. Exploiting these issues could allow an attacker to deny service to legitimate users, bypass security restrictions and gain unauthorized access, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible. Cisco ASA 5580 series security appliances with software prior to 8.1(2) are vulnerable

Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allows remote attackers to cause a denial of service (device reload) via a high volume of SIP traffic, aka Bug ID CSCsr65901. Cisco ASA 5580 series security appliances are prone to multiple security vulnerabilities. The vulnerabilities include multiple denial-of-service vulnerabilities, multiple buffer-overflow vulnerabilities, authentication-bypass vulnerabilities and a cross-site scripting vulnerability. Exploiting these issues could allow an attacker to deny service to legitimate users, bypass security restrictions and gain unauthorized access, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible. Cisco ASA 5580 series security appliances with software prior to 8.1(2) are vulnerable

Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allow remote attackers to cause a denial of service (IKE process hang) via malformed NAT-T packets, aka Bug ID CSCsr74439. Cisco ASA 5580 series security appliances are prone to multiple security vulnerabilities. The vulnerabilities include multiple denial-of-service vulnerabilities, multiple buffer-overflow vulnerabilities, authentication-bypass vulnerabilities and a cross-site scripting vulnerability. Exploiting these issues could allow an attacker to deny service to legitimate users, bypass security restrictions and gain unauthorized access, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible. Cisco ASA 5580 series security appliances with software prior to 8.1(2) are vulnerable

Buffer overflow on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allows remote attackers to have an unspecified impact via long IKE attributes, aka Bug ID CSCsu43121. The vulnerabilities include multiple denial-of-service vulnerabilities, multiple buffer-overflow vulnerabilities, authentication-bypass vulnerabilities and a cross-site scripting vulnerability. Exploiting these issues could allow an attacker to deny service to legitimate users, bypass security restrictions and gain unauthorized access, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible