VARIoT IoT vulnerabilities database
| VAR-200809-0461 | No CVE | Hitachi JP1/File Transmission Server/FTP Transmission Failure Problem |
CVSS V2: 5.0 CVSS V3: - Severity: Medium |
Hitachi JP1/File Transmission Server/FTP has a problem where file transmission fails due to the termination of the connection or failure of getting a response from the server when executing FTP commands with certain argument(s). When executing FTP commands with certain argument(s), file transmission fails because the connection is terminated or it does not get a response from the server.
| VAR-200902-0092 | CVE-2009-0418 | IPv6 implementations insecurely update Forwarding Information Base |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The IPv6 Neighbor Discovery Protocol (NDP) implementation in HP HP-UX B.11.11, B.11.23, and B.11.31 does not validate the origin of Neighbor Discovery messages, which allows remote attackers to cause a denial of service (loss of connectivity), read private network traffic, and possibly execute arbitrary code via a spoofed message that modifies the Forward Information Base (FIB), a related issue to CVE-2008-2476. A vulnerability in some implementations of the IPv6 Neighbor Discovery Protocol may allow a nearby attacker to intercept traffic or cause congested links to become overloaded. This vulnerability CVE-2008-2476 Vulnerability associated with. This can be exploited to
cause the IPv6 stack to panic by sending specially crafted ICMPv6
messages to a vulnerable system.
2008-09-03 19:09:47 UTC (RELENG_7, 7.1-PRERELEASE)
2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4)
2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE)
2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4)
Patch:
http://security.FreeBSD.org/patches/SA-08:09/icmp6.patch
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Tom Parker and Bjoern A. Zeeb. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
HP-UX IPv6 Neighbor Discovery Protocol Neighbor Solicitation
Vulnerability
SECUNIA ADVISORY ID:
SA33787
VERIFY ADVISORY:
http://secunia.com/advisories/33787/
CRITICAL:
Less critical
IMPACT:
Spoofing, Exposure of sensitive information, DoS
WHERE:
>From local network
OPERATING SYSTEM:
HP-UX 11.x
http://secunia.com/advisories/product/138/
DESCRIPTION:
A vulnerability has been reported in HP-UX, which can be exploited by
malicious people to conduct spoofing attacks, disclose potentially
sensitive information, or to cause a DoS (Denial of Service).
This is related to:
SA32112
The vulnerability is reported in HP-UX B.11.11, B.11.23, and B.11.31
running IPv6.
SOLUTION:
Apply patches.
HP-UX B.11.11:
Install patch PHNE_37898 or subsequent.
HP-UX B.11.23:
Install patch PHNE_37897 or subsequent.
HP-UX B.11.31:
Install patch PHNE_38680 or subsequent.
For more information:
SA32112
2) An unspecified error exists in the handling of PPPoE discovery
packets. ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
Juniper Products Neighbor Discovery Protocol Neighbor Solicitation
Vulnerability
SECUNIA ADVISORY ID:
SA32116
VERIFY ADVISORY:
http://secunia.com/advisories/32116/
CRITICAL:
Less critical
IMPACT:
Manipulation of data
WHERE:
>From local network
OPERATING SYSTEM:
Juniper IVE OS Software 1.x
http://secunia.com/advisories/product/11660/
Juniper IVE OS Software 2.x
http://secunia.com/advisories/product/11661/
Juniper IVE OS Software 3.x
http://secunia.com/advisories/product/11662/
Juniper IVE OS Software 5.x
http://secunia.com/advisories/product/6644/
Juniper IVE OS Software 4.x
http://secunia.com/advisories/product/6645/
Juniper IVE OS Software 6.x
http://secunia.com/advisories/product/18562/
Juniper Networks DXOS 5.x
http://secunia.com/advisories/product/11183/
Juniper Networks IDP 4.x
http://secunia.com/advisories/product/11181/
Juniper Networks Infranet Controller 4000
http://secunia.com/advisories/product/11167/
Juniper Networks WXC Series
http://secunia.com/advisories/product/11164/
Juniper Networks WX Series
http://secunia.com/advisories/product/11163/
Juniper Networks Session and Resource Control (SRC) 2.x
http://secunia.com/advisories/product/19036/
Juniper Networks Secure Access 6000 SP
http://secunia.com/advisories/product/13184/
Juniper Networks Secure Access 4000 (NetScreen-SA 3000 Series)
http://secunia.com/advisories/product/3141/
Juniper Networks Secure Access 2000
http://secunia.com/advisories/product/11165/
Juniper Networks Infranet Controller 6000
http://secunia.com/advisories/product/11168/
Juniper Networks Secure Access 6000 (NetScreen-SA 5000 Series)
http://secunia.com/advisories/product/3132/
Juniper Networks Secure Access 700
http://secunia.com/advisories/product/11166/
Juniper Networks Session and Resource Control (SRC) 1.x
http://secunia.com/advisories/product/19034/
DESCRIPTION:
A vulnerability has been reported in multiple Juniper Networks
products, which can be exploited by malicious people to manipulate
the router's neighbor cache. This can be exploited to add a fake entry to the router's
neighbor cache via a neighbor solicitation request containing a
spoofed IPv6 address.
Successful exploitation may allow the interception or disruption of
network traffic, but requires that the IPv6 nodes involved in the
attack are using the same router.
NOTE: The vendor has not published a publicly available advisory and
has also refused to provide a list of the affected products or
patches as information about vulnerabilities is provided to
registered customers only. It is therefore unclear if only a subset
of the products reported as vulnerable in this advisory are affected.
SOLUTION:
It is currently unclear whether fixes are available.
PROVIDED AND/OR DISCOVERED BY:
US-CERT credits David Miles.
ORIGINAL ADVISORY:
Juniper (login required):
https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2008-09-036&viewMode=view
US-CERT:
http://www.kb.cert.org/vuls/id/MAPG-7H2RZU
OTHER REFERENCES:
US-CERT VU#472363:
http://www.kb.cert.org/vuls/id/472363
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0452 | CVE-2007-5474 | Atheros AR5416-AC1E On chipset Linksys WRT350N Wi-Fi Denial of service operation in access point driver (DoS) Vulnerabilities |
CVSS V2: 6.3 CVSS V3: - Severity: MEDIUM |
The driver for the Linksys WRT350N Wi-Fi access point with firmware 2.00.17 on the Atheros AR5416-AC1E chipset does not properly parse the Atheros vendor-specific information element in an association request, which allows remote authenticated users to cause a denial of service (device reboot or hang) or possibly execute arbitrary code via an Atheros information element with an invalid length, as demonstrated by an element that is too long. Atheros AR5416-AC1E On chipset Linksys WRT350N Wi-Fi The access point driver is responsible for the association request. Atheros Communications AR5416-AC1E is prone to a denial-of-service vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to crash the affected device that uses the chipset, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
Atheros AR5416-AC1E included in Linksys WRT35ON wireless router running firmware 2.00.17 is vulnerable; other devices running different firmware may also be affected. Linksys WRT350N is a popular wireless broadband router. Cause a denial of service or execute arbitrary commands. This
information element is used by wireless devices to advertise Atheros
specific capabilities. This can be achieved only after a successful 802.11
authentication (in "Open" or "Shared" mode according to the
configuration of the wireless access point).
This security vulnerability was reported to Linksys, updated firmwares
should be available on their web site. Any other wireless device relying
on this vulnerable wireless driver is likely to be vulnerable.
Credits:
--------
* This vulnerability was discovered by Laurent Butti and Julien Tinnes
from France Telecom / Orange
| VAR-200809-0311 | CVE-2008-1144 | Netgear WN802T Wi-Fi Access point Marvell Service disruption in drivers (DoS) Vulnerabilities |
CVSS V2: 6.3 CVSS V3: - Severity: MEDIUM |
The Marvell driver for the Netgear WN802T Wi-Fi access point with firmware 1.3.16 on the Marvell 88W8361P-BEM1 chipset does not properly parse EAPoL-Key packets, which allows remote authenticated users to cause a denial of service (device reboot or hang) or possibly execute arbitrary code via a malformed EAPoL-Key packet with a crafted "advertised length.". The NETGEAR WN802T wireless access point is prone to a denial-of-service vulnerability because it fails to adequately handle long key lengths in EAPoL packets.
Successful exploits will deny service to legitimate users. Given the nature of this issue, remote code execution may be possible, but this has not been confirmed.
NETGEAR WN802T firmware 1.3.16 with the MARVELL 88W8361P-BEM1 chipset is vulnerable. Other devices running this Marvell chipset may also be affected. This packet is used for unicast/multicast key derivation (which
are called 4-way handshake and group key handshake) of any secure
wireless connection (WPA-PSK, WPA2-PSK, WPA-EAP, WPA2-EAP). This can be achieved only after a successful
802.11 authentication (in "Open" mode according to the configuration of
the wireless access point) and a successful 802.11 association with
appropriate security parameters (e.g. WPA w/ TKIP unicast, TKIP
multicast) which depends on the configuration of the wireless access point.
This security vulnerability was reported to Netgear, updated firmwares
should be available on their web site. Any other wireless device relying
on this vulnerable wireless driver is likely to be vulnerable.
Credits:
--------
* This vulnerability was discovered by Laurent Butti and Julien Tinnes
from France Telecom / Orange
.
1) An error exists in the processing of SSID information included in
association requests. This can be exploited to reboot or hang-up the
device by sending a specially crafted association request.
2) An error in the processing of EAPoL-Key packets can be exploited
to reboot or hang-up a device by sending a specially crafted
EAPoL-Key packet containing an overly large "length" value.
The vulnerabilities are reported in firmware version 1.3.16. Other
versions may also be affected.
SOLUTION:
Use the device only in a trusted network environment.
PROVIDED AND/OR DISCOVERED BY:
Laurent Butti and Julien Tinnes, France Telecom / Orange
ORIGINAL ADVISORY:
http://archives.neohapsis.com/archives/bugtraq/2008-09/0048.html
http://archives.neohapsis.com/archives/bugtraq/2008-09/0049.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0004 | CVE-2008-1197 | Netgear WN802T Wi-Fi Access point Marvell Service disruption in drivers (DoS) Vulnerabilities |
CVSS V2: 6.3 CVSS V3: - Severity: MEDIUM |
The Marvell driver for the Netgear WN802T Wi-Fi access point with firmware 1.3.16 on the Marvell 88W8361P-BEM1 chipset does not properly parse the SSID information element in an association request, which allows remote authenticated users to cause a denial of service (device reboot or hang) or possibly execute arbitrary code via a "Null SSID.". The NETGEAR WN802T wireless access point is prone to a denial-of-service vulnerability because it fails to adequately verify user-supplied input.
Attackers can exploit this issue to hang or reboot the device, denying service to legitimate users.
The NETGEAR WN802T wireless access point running firmware 1.3.16 on the Marvell 88W8361P-BEM1 chipset is vulnerable. Other devices running this Marvell chipset may also be affected. Most information elements are
used by the wireless access point and clients to advertise their
capabilities (regarding rates, network name, cryptographic
capabilities...). More precisely, the SSID is used by the access point
to validate that the wireless client intends to connect to the
appropriate SSID.
Assigned CVE:
-------------
* CVE-2008-1197
Details:
--------
* The bug can be triggered by a malicious association request to the
wireless access point with a Null SSID. This can be achieved only after
a successful 802.11 authentication (in "Open" or "Shared" mode according
to the configuration of the wireless access point).
This security vulnerability was reported to Netgear, updated firmwares
should be available on their web site. Any other wireless device relying
on this vulnerable wireless driver is likely to be vulnerable.
Credits:
--------
* This vulnerability was discovered by Laurent Butti and Julien Tinnes
from France Telecom / Orange
.
1) An error exists in the processing of SSID information included in
association requests. This can be exploited to reboot or hang-up the
device by sending a specially crafted association request.
2) An error in the processing of EAPoL-Key packets can be exploited
to reboot or hang-up a device by sending a specially crafted
EAPoL-Key packet containing an overly large "length" value.
The vulnerabilities are reported in firmware version 1.3.16. Other
versions may also be affected.
SOLUTION:
Use the device only in a trusted network environment.
PROVIDED AND/OR DISCOVERED BY:
Laurent Butti and Julien Tinnes, France Telecom / Orange
ORIGINAL ADVISORY:
http://archives.neohapsis.com/archives/bugtraq/2008-09/0048.html
http://archives.neohapsis.com/archives/bugtraq/2008-09/0049.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0012 | CVE-2008-2441 | Cisco Secure ACS In EAP-Response Packet processing vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Cisco Secure ACS 3.x before 3.3(4) Build 12 patch 7, 4.0.x, 4.1.x before 4.1(4) Build 13 Patch 11, and 4.2.x before 4.2(0) Build 124 Patch 4 does not properly handle an EAP Response packet in which the value of the length field exceeds the actual packet length, which allows remote authenticated users to cause a denial of service (CSRadius and CSAuth service crash) or possibly execute arbitrary code via a crafted RADIUS (1) EAP-Response/Identity, (2) EAP-Response/MD5, or (3) EAP-Response/TLS Message Attribute packet. Provided by Cisco Systems Cisco Secure ACS There is a service disruption (DoS) Vulnerabilities and arbitrary code execution vulnerabilities. Also illegal RADIUS (1) EAP-Response/Identity (2) EAP-Response/MD5 (3) EAP-Response/TLS May cause arbitrary code execution.Please refer to the “Overview” for the impact of this vulnerability. Cisco Secure ACS is prone to a denial-of-service vulnerability because it fails to properly validate user-supplied input.
An attacker can exploit this issue to crash the CSRadius and CSAuth processes, denying service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.
This vulnerability is documented in Cisco bug ID CSCsq10103. This bug may
be triggered if the length field of an EAP-Response packet has a certain
big value, greater than the real packet length. Any EAP-Response can
trigger this bug: EAP-Response/Identity, EAP-Response/MD5,
EAP-Response/TLS...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* For example, the following packet will trigger the vulnerability and
crash CSRadius.exe:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 2 | 0 | 0xdddd |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 1 | abcd
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Attack Impact:
--------------
* Denial-of-service and possibly remote arbitrary code execution
Attack Vector:
--------------
* Have access as a RADIUS client (knowing or guessing the RADIUS shared
secret) or from an unauthenticated wireless device if the access point
relays malformed EAP frames
Timeline:
---------
* 2008-05-05 - Vulnerability reported to Cisco
* 2008-05-05 - Cisco acknowledged the notification
* 2008-05-05 - PoC sent to Cisco
* 2008-05-13 - Cisco confirmed the issue
* 2008-09-03 - Coordinated public release of advisory
Credits:
--------
* This vulnerability was discovered by Gabriel Campana and Laurent Butti
from France Telecom / Orange
.
SOLUTION:
Apply patches. Please see the vendor advisory for details.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Response: Cisco Secure ACS Denial Of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sr-20080903-csacs.shtml
Revision 1.0
============
For Public Release 2008 September 03 1600 UTC (GMT)
Cisco Response
==============
This is the Cisco PSIRT response to the statements made by Laurent
Butti and Gabriel Campana of Orange Labs / France Telecom Group, in
their advisory: "Cisco Secure ACS EAP Parsing Vulnerability". Because this
affects CSAuth all authentication requests via RADIUS or TACACS+ will
be affected during exploitation of this vulnerability.
Cisco ACS installations that are configured with AAA Clients to
authenticate using TACACS+ only are not affected by this
vulnerability.
The RADIUS shared secret and a valid known Network Access Server
(NAS) IP address must be known to carry out this exploit.
The Cisco PSIRT team greatly appreciates the opportunity to work with
researchers on security vulnerabilities, and we welcome the
opportunity to review and assist in product reports. We thank Laurent
Butti and Gabriel Campana of Orange Labs / France Telecom Group for
reporting this vulnerability to Cisco PSIRT.
Software patches are available for customers with support contracts
and should be obtained through their regular support channels. The
upgrade to fixed software is not a free upgrade. See Software
Versions and Fixes section within this advisory for further
information on obtaining fixed software. It is
the integration and control layer for managing enterprise network
users, administrators, and the resources of the network
infrastructure.
Described in RFC2865, RADIUS is a distributed client/server system
that secures networks against unauthorized access. In the Cisco
implementation, RADIUS clients run on Cisco devices and send
authentication requests to a central RADIUS server
(Cisco Secure ACS) that contains all user authentication and network
service access information.
Described in RFC3748, EAP is an authentication framework that
supports multiple authentication methods. Typically, EAP runs
directly over data link layers, such as Point-to-Point
Protocol (PPP) or IEEE 802, without requiring IP.
A specially crafted RADIUS EAP Message Attribute packet will crash
the CSRadius and CSAuth services. An error message will be indicated
in the Windows event viewer - System Log indicating "The CSAuth
service terminated unexpectedly" and "The CSRadius service terminated
unexpectedly". In the Cisco ACS Reports and Activity tab, under ACS
Service Monitoring, the logs will indicate CSAuth is not running and
attempts to restart.
The CSRadius service handles communication between the service for
authentication and authorization (CSAuth service) and the access
device requesting the authentication and authorization services for
RADIUS. In many cases continued exploitation
will prevent network access to devices which first require
authentication or authorization via the AAA Server.
Software Versions and Fixes
+--------------------------
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+--------------------------------------------------------+
| Affected | First Fixed Release |
| Release | |
|------------+-------------------------------------------|
| 3.X.Y | Release 3.3(4) Build 12 patch 7 or later |
|------------+-------------------------------------------|
| 4.0.X | Vulnerable; Contact TAC |
|------------+-------------------------------------------|
| 4.1.X | Release 4.1(4) Build 13 Patch 11 or later |
|------------+-------------------------------------------|
| 4.2.X | Release 4.2(0) Build 124 Patch 4 or later |
+--------------------------------------------------------+
The fixed software for Cisco Secure ACS for Windows (ACS) can be
downloaded from:
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
The fixed software for Cisco Secure ACS Solution Engine (ACSE) can be
downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2
The first fixed release files names are indicated below:
+-----------------------------------------------------------+
| | 3.x cumulative patch | 4.1 cumulative patch |
|----------+-----------------------+------------------------+
| CS ACS | | |
| for | Acs-3.3.4.12.7-SW.zip | Acs-4.1.4.13.11-SW.zip |
| Windows | | |
|----------+-----------------------+------------------------+
| CS ACS | | |
| Solution | applAcs-3.3.4.12.7.zip| applAcs_4.1.4.13.11.zip|
| Engine | | |
+-----------------------------------------------------------+
+------------------------------------+
| | 4.2 cumulative patch |
|----------+-------------------------|
| CS ACS | |
| for | ACS-4.2.0.124.4-SW.zip |
| Windows | |
|----------+-------------------------|
| CS ACS | |
| Solution | applAcs_4.2.0.124.4.zip |
| Engine | |
+------------------------------------+
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Revision History
================
+-------------------------------------------------------------+
| Revision 1.0 | 2008-September-03 | Initial Public Release. |
+-------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psir
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAki+vfsACgkQ86n/Gc8U/uA10wCff/HycCGi+SD6hm5g82Hi9WD0
X54AnikxZGx5tHDzpdsRfHNqEAb2qATD
=kaFk
-----END PGP SIGNATURE-----
| VAR-200809-0315 | CVE-2008-2732 | Cisco PIX and ASA of SIP Service interruption in inspection function (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Multiple unspecified vulnerabilities in the SIP inspection functionality in Cisco PIX and Adaptive Security Appliance (ASA) 5500 devices 7.0 before 7.0(7)16, 7.1 before 7.1(2)71, 7.2 before 7.2(4)7, 8.0 before 8.0(3)20, and 8.1 before 8.1(1)8 allow remote attackers to cause a denial of service (device reload) via unknown vectors, aka Bug IDs CSCsq07867, CSCsq57091, CSCsk60581, and CSCsq39315. The problem is Bug ID : CSCsq07867, CSCsq57091, CSCsk60581, CSCsq39315 It is a problem.Service operation disrupted by a third party (DoS) There is a possibility of being put into a state. Cisco PIX and ASA are prone to multiple denial-of-service vulnerabilities and an information-disclosure vulnerability.
An attacker can exploit these issues to obtain sensitive information or cause the affected devices to reload. PIX is a firewall device that provides policy enforcement, multi-vector attack protection and secure connection services for users and applications; Adaptive Security Appliance (ASA) is a modular platform that provides security and VPN services.
This security advisory outlines details of the following
vulnerabilities:
* Erroneous SIP Processing Vulnerabilities
* IPSec Client Authentication Processing Vulnerability
* SSL VPN Memory Leak Vulnerability
* URI Processing Error Vulnerability in SSL VPNs
* Potential Information Disclosure in Clientless VPNs
Note: These vulnerabilities are independent of each other. A device
may be affected by one vulnerability and not affected by another.
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of these
vulnerabilities are available.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
Affected Products
=================
The following paragraphs describe the affected Cisco ASA and Cisco
PIX software versions:
Vulnerable Products
+------------------
The following sections provide details on the versions of Cisco ASA
that are affected by each vulnerability.
The show version command-line interface (CLI) command can be used to
determine if a vulnerable version of the Cisco PIX or Cisco ASA
software is running. The following example shows a Cisco ASA device
that runs software release 8.0(2):
ASA# show version
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(1)
[...]
Customers who use the Cisco Adaptive Security Device Manager (ASDM)
to manage their devices can find their software version displayed in
a table in the login window or in the upper left corner of the ASDM
window.
SSL VPN Memory Leak Vulnerability
Cisco ASA devices that terminate clientless remote access VPN
connections are vulnerable to a denial of service attack affecting
the SSL processing software if the device is running a software
version prior to 7.2(4)2, 8.0(3)14, or 8.1(1)4.
Potential Information Disclosure in Clientless VPNs
Cisco ASA devices that terminate clientless remote access VPN
connections are vulnerable to potential information disclosure if the
device is running affected 8.0 or 8.1 software versions.
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Firewall Services Module (FWSM) is not affected by any of
these vulnerabilities. Cisco PIX security appliances running software
versions 6.x are not vulnerable. IOS, IOS XR, and Cisco Unified
Boarder Elements (CUBE) are not vulnerable to these issues. No other
Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The following sections provide details to help determine if a device
may be affected by any of the vulnerabilities. A successful
attack may result in a reload of the device.
SIP inspection is enabled with the inspect sip command. If the
output contains the text Inspect: sip and some statistics, then the
device has a vulnerable configuration.
* CSCsq07867
* CSCsq57091
* CSCsk60581
* CSCsq39315
IPSec Client Authentication Processing Vulnerability
Cisco PIX and Cisco ASA devices configured to terminate client based
VPN connections are vulnerable to a crafted authentication processing
vulnerability if they are running software versions 7.2, 8.0, or 8.1.
Devices that run software versions 7.0 or 7.1 are not affected by
this vulnerability.
A successful attack may result in a reload of the device.
Remote access VPN connections will have Internet Security Association
and Key Management Protocol (ISAKMP) enabled on an interface with the
crypto command, such as: crypto isakmp enable outside.
This vulnerability is documented in Cisco Bug ID CSCso69942
and has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2733.
SSL VPN Memory Leak Vulnerability and URI Processing Error
Vulnerability in SSL VPNs
A crafted SSL or HTTP packet may cause a denial of service condition
on a Cisco ASA device that is configured to terminate clientless VPN
connections. A successful attack may result in a reload of the
device.
Cisco ASA devices that run versions 7.2, 8.0, or 8.1 with clientless
SSL VPNs enabled may be affected by this vulnerability. Devices that
run software versions 7.0 and 7.1 are not affected by this
vulnerability.
Clientless VPN, SSL VPN Client, and AnyConnect connections are
enabled via the webvpn command. For example, the following
configuration shows a Cisco ASA with Clientless VPNs configured and
enabled. In this case the ASA will listen for VPN connections on the
default port, TCP port 443:
http server enable
!
webvpn
enable outside
Note that with this particular configuration, the device is
vulnerable to attacks coming from the outside interface due to the
enable outside command within the webvpn group configuration.
These vulnerabilities are documented in Cisco Bug ID CSCso66472
and CSCsq19369. They have been assigned Common Vulnerabilities and
Exposures (CVE) identifiers CVE-2008-2734 and CVE-2008-2735.
Potential Information Disclosure in Clientless VPNs
On Cisco ASA devices configured to terminate clientless VPN
connections, an attacker may be able to discover potentially
sensitive information such as usernames and passwords. This attack
requires an attacker to convince a user to visit a rogue web server,
reply to an e-mail, or interact with a service to successfully
exploit the vulnerability.
Cisco ASA devices running software versions 8.0 or 8.1 with
clientless VPNs enabled may be affected by this vulnerability.
Clientless SSL VPN connections are enabled via the webvpn command.
For example, the following configuration shows a Cisco ASA device
with Clientless VPNs configured and enabled. In this case the Cisco
ASA device will listen for VPN connections on the default port, TCP
port 443:
http server enable
!
webvpn
enable outside
Note that with this particular configuration, the device is
vulnerable to attacks coming from the outside interface due to the
enable outside command within the webvpn group configuration.
This vulnerability is documented in Cisco Bug ID CSCsq45636
and has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2736.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is calculated in accordance with
CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
Erroneous SIP Processing Vulnerabilities
CSCsq07867 - Memory corruption with traceback in SIP inspection code
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsq57091 - Memory corruption and traceback when inspecting malformed SIP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsk60581 - Device reload possible when SIP inspection is enabled
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsq39315 - Traceback when processing malformed SIP requests
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
IPSec Client Authentication Processing Vulnerability
CSCso69942 - Traceback in Remote Access Authentication Code
CVSS Base Score - 6.8
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.6
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
SSL VPN Memory Leak Vulnerability
CSCso66472 - Crypto memory leak causing Clientless SSL VPNs to hang
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
URI Processing Error Vulnerability in SSL VPNs
CSCsq19369 - URI Processing Error in Clientless SSL VPN connections
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Potential Information Disclosure in Clientless VPNs
CSCsq45636 - Potential Information Disclosure in Clientless SSL VPNs
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the Erroneous SIP Processing
Vulnerabilities, IPSec Client Authentication Processing
Vulnerability, SSL VPN Memory Leak Vulnerability, or URI Processing
Error Vulnerability in SSL VPNs may result in the device reloading.
This can be repeatedly exploited and may lead to a denial of service
attack.
The Potential Information Disclosure in Clientless SSL VPNs
vulnerability may allow an attacker to obtain user and group
credentials if the user interacts with a rogue system or document.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
The following list contains the first fixed software release of each
vulnerability:
+-----------------------------------------------------+
| | | Affected | First |
| Vulnerability | Bug ID | Release | Fixed |
| | | | Release |
|----------------+------------+----------+------------|
| | | 7.0 | 7.0(7)15 |
| | |----------+------------|
| | | 7.1 | 7.1(2)70 |
|Memory | |----------+------------|
| corruption | | 7.2 | Not |
| with traceback | CSCsq07867 | | vulnerable |
|in SIP | |----------+------------|
| inspection | | 8.0 | Not |
| code | | | vulnerable |
| | |----------+------------|
| | | 8.1 | Not |
| | | | vulnerable |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
|Memory | |----------+------------|
| corruption and | | 7.1 | Not |
| traceback when | | | vulnerable |
|inspecting |CSCsq57091 |----------+------------|
| malformed SIP | | 7.2 | 7.2(4)7 |
|packets | |----------+------------|
| | | 8.0 | 8.0(3)20 |
| | |----------+------------|
| | | 8.1 | 8.1(1)8 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| | | 7.1 | Not |
| Device reload | | | vulnerable |
|possible when |CSCsk60581 |----------+------------|
| SIP inspection | | 7.2 | 7.2(3)18 |
|is enabled | |----------+------------|
| | | 8.0 | 8.0(3)8 |
| | |----------+------------|
| | | 8.1 | Not |
| | | | vulnerable |
|----------------+------------+----------+------------|
| | | 7.0 | 7.0(7)16 |
| | |----------+------------|
| | | 7.1 | 7.1(2)71 |
| | |----------+------------|
| Traceback when | | 7.2 | Not |
| processing | CSCsq39315 | | vulnerable |
|malformed SIP | |----------+------------|
| requests | | 8.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| | | 8.1 | Not |
| | | | vulnerable |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| Traceback in | | 7.1 | Not |
| Remote Access | | | vulnerable |
|Authentication |CSCso69942 |----------+------------|
| Code | | 7.2 | 7.2(4)2 |
| | |----------+------------|
| | | 8.0 | 8.0(3)14 |
| | |----------+------------|
| | | 8.1 | 8.1(1)4 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| Crypto memory | | 7.1 | Not |
| leak causing | | | vulnerable |
|Clientless SSL |CSCso66472 |----------+------------|
| VPNs to hang | | 7.2 | 7.2(4)2 |
| | |----------+------------|
| | | 8.0 | 8.0(3)14 |
| | |----------+------------|
| | | 8.1 | 8.1(1)4 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| HTTP | | 7.1 | Not |
| Processing | | | vulnerable |
|Error in |CSCsq19369 |----------+------------|
| Clientless SSL | | 7.2 | Not |
| VPN | | | vulnerable |
|connections | |----------+------------|
| | | 8.0 | 8.0(3)15 |
| | |----------+------------|
| | | 8.1 | 8.1(1)5 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| Potential | | 7.1 | Not |
| Information | | | vulnerable |
|Disclosure in |CSCsq45636 |----------+------------|
| Clientless SSL | | 7.2 | Not |
| VPNs | | | vulnerable |
| | |----------+------------|
| | | 8.0 | 8.0(3)16 |
| | |----------+------------|
| | | 8.1 | 8.1(1)6 |
|-----------------------------+----------+------------|
| | 7.0 | 7.0(7)16 |
| |----------+------------|
| | 7.1 | 7.1(2)72 |
| |----------+------------|
| Recommended Release | 7.2 | 7.2(4)9 |
| |----------+------------|
| | 8.0 | 8.0(4) |
| |----------+------------|
| | 8.1 | 8.1(1)8 |
+-----------------------------------------------------+
Fixed Cisco PIX software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2
Fixed Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2
Workarounds
===========
The following workarounds may help some customers mitigate these
vulnerabilities.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20080903-asa.shtml
Erroneous SIP Processing Vulnerabilities
SIP inspection should be disabled if it is not needed and temporarily
disabling the feature will mitigate the SIP processing
vulnerabilities. SIP inspection can be disabled with the command no
inspect sip.
IPSec Authentication Processing Vulnerability
Use strong group credentials for remote access VPN connections and do
not give out the group credentials to end users.
SSL VPN Memory Leak Vulnerability and URI Processing Error
Vulnerability in SSL VPNs
IPSec clients are not vulnerable to this issue and may be used in
conjunction with strong group credentials until the device can be
upgraded.
Potential Information Disclosure in Clientless SSL VPNs
Client based VPN connections are not vulnerable to the information
disclosure vulnerability. If you are running 8.0(3)15, 8.0(3)16,
8.1(1)4, or 8.1(1)5, you may safely use client based VPN connections as
an alternative to clientless VPNs.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were reported to Cisco by customers that
experienced these issues during normal operation of their equipment
and through internal testing efforts.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-Sept-03 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
iD8DBQFIvsPo86n/Gc8U/uARAmOIAKCcTL2O+3w2mEm0GTe2mcnb0NZ5uQCdG9aV
ldazcXFRcGmkm4g38B67ezM=
=t2NV
-----END PGP SIGNATURE-----
.
Successful exploitation requires valid user credentials.
Successful exploitation requires that a user is tricked into e.g.
visiting a malicious web server or reply to an email.
SOLUTION:
Update to fixed versions (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0316 | CVE-2008-2733 | Cisco PIX and ASA of IPSec Service operation related to client authentication (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Cisco PIX and Adaptive Security Appliance (ASA) 5500 devices 7.2 before 7.2(4)2, 8.0 before 8.0(3)14, and 8.1 before 8.1(1)4, when configured as a client VPN endpoint, do not properly process IPSec client authentication, which allows remote attackers to cause a denial of service (device reload) via a crafted authentication attempt, aka Bug ID CSCso69942. The problem is Bug ID : CSCso69942 It is a problem.Service operation disrupted by a third party (DoS) There is a possibility of being put into a state. Cisco PIX and ASA are prone to multiple denial-of-service vulnerabilities and an information-disclosure vulnerability.
An attacker can exploit these issues to obtain sensitive information or cause the affected devices to reload. PIX is a firewall device that provides policy enforcement, multi-vector attack protection and secure connection services for users and applications; Adaptive Security Appliance (ASA) is a modular platform that provides security and VPN services.
This security advisory outlines details of the following
vulnerabilities:
* Erroneous SIP Processing Vulnerabilities
* IPSec Client Authentication Processing Vulnerability
* SSL VPN Memory Leak Vulnerability
* URI Processing Error Vulnerability in SSL VPNs
* Potential Information Disclosure in Clientless VPNs
Note: These vulnerabilities are independent of each other. A device
may be affected by one vulnerability and not affected by another.
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of these
vulnerabilities are available.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
Affected Products
=================
The following paragraphs describe the affected Cisco ASA and Cisco
PIX software versions:
Vulnerable Products
+------------------
The following sections provide details on the versions of Cisco ASA
that are affected by each vulnerability.
The show version command-line interface (CLI) command can be used to
determine if a vulnerable version of the Cisco PIX or Cisco ASA
software is running. The following example shows a Cisco ASA device
that runs software release 8.0(2):
ASA# show version
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(1)
[...]
Customers who use the Cisco Adaptive Security Device Manager (ASDM)
to manage their devices can find their software version displayed in
a table in the login window or in the upper left corner of the ASDM
window.
Erroneous SIP Processing Vulnerabilities
Cisco PIX and Cisco ASA devices configured for SIP inspection are
vulnerable to multiple processing errors that may result in denial of
service attacks.
Potential Information Disclosure in Clientless VPNs
Cisco ASA devices that terminate clientless remote access VPN
connections are vulnerable to potential information disclosure if the
device is running affected 8.0 or 8.1 software versions.
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Firewall Services Module (FWSM) is not affected by any of
these vulnerabilities. Cisco PIX security appliances running software
versions 6.x are not vulnerable. IOS, IOS XR, and Cisco Unified
Boarder Elements (CUBE) are not vulnerable to these issues. No other
Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The following sections provide details to help determine if a device
may be affected by any of the vulnerabilities.
Erroneous SIP Processing Vulnerabilities
Cisco PIX and Cisco ASA devices configured for SIP inspection are
vulnerable to multiple processing errors that may result in denial of
service attacks. A successful
attack may result in a reload of the device.
SIP inspection is enabled with the inspect sip command.
To determine whether the Cisco PIX or Cisco ASA security appliance is
configured to support inspection of sip packets, log in to the device
and issue the CLI command show service-policy | include sip. If the
output contains the text Inspect: sip and some statistics, then the
device has a vulnerable configuration. The following example shows a
vulnerable Cisco ASA Security Appliance:
asa#show service-policy | include sip
Inspect: sip, packet 0, drop 0, reset-drop 0
asa#
These vulnerability is documented in the following Cisco Bug IDs and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2732.
Devices that run software versions 7.0 or 7.1 are not affected by
this vulnerability.
A successful attack may result in a reload of the device.
Remote access VPN connections will have Internet Security Association
and Key Management Protocol (ISAKMP) enabled on an interface with the
crypto command, such as: crypto isakmp enable outside.
This vulnerability is documented in Cisco Bug ID CSCso69942
and has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2733. A successful attack may result in a reload of the
device.
Cisco ASA devices that run versions 7.2, 8.0, or 8.1 with clientless
SSL VPNs enabled may be affected by this vulnerability. Devices that
run software versions 7.0 and 7.1 are not affected by this
vulnerability.
Clientless VPN, SSL VPN Client, and AnyConnect connections are
enabled via the webvpn command. For example, the following
configuration shows a Cisco ASA with Clientless VPNs configured and
enabled. In this case the ASA will listen for VPN connections on the
default port, TCP port 443:
http server enable
!
webvpn
enable outside
Note that with this particular configuration, the device is
vulnerable to attacks coming from the outside interface due to the
enable outside command within the webvpn group configuration.
These vulnerabilities are documented in Cisco Bug ID CSCso66472
and CSCsq19369. They have been assigned Common Vulnerabilities and
Exposures (CVE) identifiers CVE-2008-2734 and CVE-2008-2735.
Potential Information Disclosure in Clientless VPNs
On Cisco ASA devices configured to terminate clientless VPN
connections, an attacker may be able to discover potentially
sensitive information such as usernames and passwords. This attack
requires an attacker to convince a user to visit a rogue web server,
reply to an e-mail, or interact with a service to successfully
exploit the vulnerability.
Cisco ASA devices running software versions 8.0 or 8.1 with
clientless VPNs enabled may be affected by this vulnerability.
Clientless SSL VPN connections are enabled via the webvpn command.
For example, the following configuration shows a Cisco ASA device
with Clientless VPNs configured and enabled. In this case the Cisco
ASA device will listen for VPN connections on the default port, TCP
port 443:
http server enable
!
webvpn
enable outside
Note that with this particular configuration, the device is
vulnerable to attacks coming from the outside interface due to the
enable outside command within the webvpn group configuration.
This vulnerability is documented in Cisco Bug ID CSCsq45636
and has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2736.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is calculated in accordance with
CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
Erroneous SIP Processing Vulnerabilities
CSCsq07867 - Memory corruption with traceback in SIP inspection code
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsq57091 - Memory corruption and traceback when inspecting malformed SIP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsk60581 - Device reload possible when SIP inspection is enabled
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsq39315 - Traceback when processing malformed SIP requests
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
IPSec Client Authentication Processing Vulnerability
CSCso69942 - Traceback in Remote Access Authentication Code
CVSS Base Score - 6.8
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.6
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
SSL VPN Memory Leak Vulnerability
CSCso66472 - Crypto memory leak causing Clientless SSL VPNs to hang
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
URI Processing Error Vulnerability in SSL VPNs
CSCsq19369 - URI Processing Error in Clientless SSL VPN connections
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Potential Information Disclosure in Clientless VPNs
CSCsq45636 - Potential Information Disclosure in Clientless SSL VPNs
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the Erroneous SIP Processing
Vulnerabilities, IPSec Client Authentication Processing
Vulnerability, SSL VPN Memory Leak Vulnerability, or URI Processing
Error Vulnerability in SSL VPNs may result in the device reloading.
This can be repeatedly exploited and may lead to a denial of service
attack.
The Potential Information Disclosure in Clientless SSL VPNs
vulnerability may allow an attacker to obtain user and group
credentials if the user interacts with a rogue system or document.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
The following list contains the first fixed software release of each
vulnerability:
+-----------------------------------------------------+
| | | Affected | First |
| Vulnerability | Bug ID | Release | Fixed |
| | | | Release |
|----------------+------------+----------+------------|
| | | 7.0 | 7.0(7)15 |
| | |----------+------------|
| | | 7.1 | 7.1(2)70 |
|Memory | |----------+------------|
| corruption | | 7.2 | Not |
| with traceback | CSCsq07867 | | vulnerable |
|in SIP | |----------+------------|
| inspection | | 8.0 | Not |
| code | | | vulnerable |
| | |----------+------------|
| | | 8.1 | Not |
| | | | vulnerable |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
|Memory | |----------+------------|
| corruption and | | 7.1 | Not |
| traceback when | | | vulnerable |
|inspecting |CSCsq57091 |----------+------------|
| malformed SIP | | 7.2 | 7.2(4)7 |
|packets | |----------+------------|
| | | 8.0 | 8.0(3)20 |
| | |----------+------------|
| | | 8.1 | 8.1(1)8 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| | | 7.1 | Not |
| Device reload | | | vulnerable |
|possible when |CSCsk60581 |----------+------------|
| SIP inspection | | 7.2 | 7.2(3)18 |
|is enabled | |----------+------------|
| | | 8.0 | 8.0(3)8 |
| | |----------+------------|
| | | 8.1 | Not |
| | | | vulnerable |
|----------------+------------+----------+------------|
| | | 7.0 | 7.0(7)16 |
| | |----------+------------|
| | | 7.1 | 7.1(2)71 |
| | |----------+------------|
| Traceback when | | 7.2 | Not |
| processing | CSCsq39315 | | vulnerable |
|malformed SIP | |----------+------------|
| requests | | 8.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| | | 8.1 | Not |
| | | | vulnerable |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| Traceback in | | 7.1 | Not |
| Remote Access | | | vulnerable |
|Authentication |CSCso69942 |----------+------------|
| Code | | 7.2 | 7.2(4)2 |
| | |----------+------------|
| | | 8.0 | 8.0(3)14 |
| | |----------+------------|
| | | 8.1 | 8.1(1)4 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| Crypto memory | | 7.1 | Not |
| leak causing | | | vulnerable |
|Clientless SSL |CSCso66472 |----------+------------|
| VPNs to hang | | 7.2 | 7.2(4)2 |
| | |----------+------------|
| | | 8.0 | 8.0(3)14 |
| | |----------+------------|
| | | 8.1 | 8.1(1)4 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| HTTP | | 7.1 | Not |
| Processing | | | vulnerable |
|Error in |CSCsq19369 |----------+------------|
| Clientless SSL | | 7.2 | Not |
| VPN | | | vulnerable |
|connections | |----------+------------|
| | | 8.0 | 8.0(3)15 |
| | |----------+------------|
| | | 8.1 | 8.1(1)5 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| Potential | | 7.1 | Not |
| Information | | | vulnerable |
|Disclosure in |CSCsq45636 |----------+------------|
| Clientless SSL | | 7.2 | Not |
| VPNs | | | vulnerable |
| | |----------+------------|
| | | 8.0 | 8.0(3)16 |
| | |----------+------------|
| | | 8.1 | 8.1(1)6 |
|-----------------------------+----------+------------|
| | 7.0 | 7.0(7)16 |
| |----------+------------|
| | 7.1 | 7.1(2)72 |
| |----------+------------|
| Recommended Release | 7.2 | 7.2(4)9 |
| |----------+------------|
| | 8.0 | 8.0(4) |
| |----------+------------|
| | 8.1 | 8.1(1)8 |
+-----------------------------------------------------+
Fixed Cisco PIX software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2
Fixed Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2
Workarounds
===========
The following workarounds may help some customers mitigate these
vulnerabilities.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20080903-asa.shtml
Erroneous SIP Processing Vulnerabilities
SIP inspection should be disabled if it is not needed and temporarily
disabling the feature will mitigate the SIP processing
vulnerabilities. SIP inspection can be disabled with the command no
inspect sip.
IPSec Authentication Processing Vulnerability
Use strong group credentials for remote access VPN connections and do
not give out the group credentials to end users.
SSL VPN Memory Leak Vulnerability and URI Processing Error
Vulnerability in SSL VPNs
IPSec clients are not vulnerable to this issue and may be used in
conjunction with strong group credentials until the device can be
upgraded.
Potential Information Disclosure in Clientless SSL VPNs
Client based VPN connections are not vulnerable to the information
disclosure vulnerability. If you are running 8.0(3)15, 8.0(3)16,
8.1(1)4, or 8.1(1)5, you may safely use client based VPN connections as
an alternative to clientless VPNs.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were reported to Cisco by customers that
experienced these issues during normal operation of their equipment
and through internal testing efforts.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-Sept-03 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
iD8DBQFIvsPo86n/Gc8U/uARAmOIAKCcTL2O+3w2mEm0GTe2mcnb0NZ5uQCdG9aV
ldazcXFRcGmkm4g38B67ezM=
=t2NV
-----END PGP SIGNATURE-----
.
Successful exploitation requires valid user credentials.
Successful exploitation requires that a user is tricked into e.g.
visiting a malicious web server or reply to an email.
SOLUTION:
Update to fixed versions (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0319 | CVE-2008-2736 | Cisco ASA Vulnerable to user name and password disclosure |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco Adaptive Security Appliance (ASA) 5500 devices 8.0(3)15, 8.0(3)16, 8.1(1)4, and 8.1(1)5, when configured as a clientless SSL VPN endpoint, allows remote attackers to obtain usernames and passwords via unknown vectors, aka Bug ID CSCsq45636. The problem is Bug ID : CSCsq45636 It is a problem.A third party could steal your username and password. Cisco PIX and ASA are prone to multiple denial-of-service vulnerabilities and an information-disclosure vulnerability.
An attacker can exploit these issues to obtain sensitive information or cause the affected devices to reload. PIX is a firewall device that provides policy enforcement, multi-vector attack protection and secure connection services for users and applications; Adaptive Security Appliance (ASA) is a modular platform that provides security and VPN services. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Remote Access VPN and SIP Vulnerabilities in
Cisco PIX and Cisco ASA
Advisory ID: cisco-sa-20080903-asa
Revision 1.0
For Public Release 2008 September 3 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive
Security Appliances and Cisco PIX Security Appliances that may result
in a reload of the device or disclosure of confidential information.
This security advisory outlines details of the following
vulnerabilities:
* Erroneous SIP Processing Vulnerabilities
* IPSec Client Authentication Processing Vulnerability
* SSL VPN Memory Leak Vulnerability
* URI Processing Error Vulnerability in SSL VPNs
* Potential Information Disclosure in Clientless VPNs
Note: These vulnerabilities are independent of each other. A device
may be affected by one vulnerability and not affected by another.
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of these
vulnerabilities are available.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
Affected Products
=================
The following paragraphs describe the affected Cisco ASA and Cisco
PIX software versions:
Vulnerable Products
+------------------
The following sections provide details on the versions of Cisco ASA
that are affected by each vulnerability.
The show version command-line interface (CLI) command can be used to
determine if a vulnerable version of the Cisco PIX or Cisco ASA
software is running. The following example shows a Cisco ASA device
that runs software release 8.0(2):
ASA# show version
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(1)
[...]
Customers who use the Cisco Adaptive Security Device Manager (ASDM)
to manage their devices can find their software version displayed in
a table in the login window or in the upper left corner of the ASDM
window.
Erroneous SIP Processing Vulnerabilities
Cisco PIX and Cisco ASA devices configured for SIP inspection are
vulnerable to multiple processing errors that may result in denial of
service attacks.
IPSec Client Authentication Processing Vulnerability
Cisco PIX and Cisco ASA devices that terminate remote access VPN
connections are vulnerable to a denial of service attack if the
device is running software versions prior to 7.2(4)2, 8.0(3)14, and
8.1(1)4.
Potential Information Disclosure in Clientless VPNs
Cisco ASA devices that terminate clientless remote access VPN
connections are vulnerable to potential information disclosure if the
device is running affected 8.0 or 8.1 software versions.
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Firewall Services Module (FWSM) is not affected by any of
these vulnerabilities. Cisco PIX security appliances running software
versions 6.x are not vulnerable. IOS, IOS XR, and Cisco Unified
Boarder Elements (CUBE) are not vulnerable to these issues. No other
Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The following sections provide details to help determine if a device
may be affected by any of the vulnerabilities.
Erroneous SIP Processing Vulnerabilities
Cisco PIX and Cisco ASA devices configured for SIP inspection are
vulnerable to multiple processing errors that may result in denial of
service attacks. A successful
attack may result in a reload of the device.
SIP inspection is enabled with the inspect sip command.
To determine whether the Cisco PIX or Cisco ASA security appliance is
configured to support inspection of sip packets, log in to the device
and issue the CLI command show service-policy | include sip. If the
output contains the text Inspect: sip and some statistics, then the
device has a vulnerable configuration. The following example shows a
vulnerable Cisco ASA Security Appliance:
asa#show service-policy | include sip
Inspect: sip, packet 0, drop 0, reset-drop 0
asa#
These vulnerability is documented in the following Cisco Bug IDs and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2732.
Devices that run software versions 7.0 or 7.1 are not affected by
this vulnerability.
A successful attack may result in a reload of the device.
Remote access VPN connections will have Internet Security Association
and Key Management Protocol (ISAKMP) enabled on an interface with the
crypto command, such as: crypto isakmp enable outside.
This vulnerability is documented in Cisco Bug ID CSCso69942
and has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2733. A successful attack may result in a reload of the
device. Devices that
run software versions 7.0 and 7.1 are not affected by this
vulnerability.
Clientless VPN, SSL VPN Client, and AnyConnect connections are
enabled via the webvpn command. For example, the following
configuration shows a Cisco ASA with Clientless VPNs configured and
enabled. In this case the ASA will listen for VPN connections on the
default port, TCP port 443:
http server enable
!
webvpn
enable outside
Note that with this particular configuration, the device is
vulnerable to attacks coming from the outside interface due to the
enable outside command within the webvpn group configuration.
These vulnerabilities are documented in Cisco Bug ID CSCso66472
and CSCsq19369. They have been assigned Common Vulnerabilities and
Exposures (CVE) identifiers CVE-2008-2734 and CVE-2008-2735. This attack
requires an attacker to convince a user to visit a rogue web server,
reply to an e-mail, or interact with a service to successfully
exploit the vulnerability.
Cisco ASA devices running software versions 8.0 or 8.1 with
clientless VPNs enabled may be affected by this vulnerability.
Clientless SSL VPN connections are enabled via the webvpn command.
For example, the following configuration shows a Cisco ASA device
with Clientless VPNs configured and enabled. In this case the Cisco
ASA device will listen for VPN connections on the default port, TCP
port 443:
http server enable
!
webvpn
enable outside
Note that with this particular configuration, the device is
vulnerable to attacks coming from the outside interface due to the
enable outside command within the webvpn group configuration.
This vulnerability is documented in Cisco Bug ID CSCsq45636
and has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2736.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is calculated in accordance with
CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
Erroneous SIP Processing Vulnerabilities
CSCsq07867 - Memory corruption with traceback in SIP inspection code
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsq57091 - Memory corruption and traceback when inspecting malformed SIP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsk60581 - Device reload possible when SIP inspection is enabled
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsq39315 - Traceback when processing malformed SIP requests
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
IPSec Client Authentication Processing Vulnerability
CSCso69942 - Traceback in Remote Access Authentication Code
CVSS Base Score - 6.8
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.6
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
SSL VPN Memory Leak Vulnerability
CSCso66472 - Crypto memory leak causing Clientless SSL VPNs to hang
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
URI Processing Error Vulnerability in SSL VPNs
CSCsq19369 - URI Processing Error in Clientless SSL VPN connections
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Potential Information Disclosure in Clientless VPNs
CSCsq45636 - Potential Information Disclosure in Clientless SSL VPNs
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the Erroneous SIP Processing
Vulnerabilities, IPSec Client Authentication Processing
Vulnerability, SSL VPN Memory Leak Vulnerability, or URI Processing
Error Vulnerability in SSL VPNs may result in the device reloading.
This can be repeatedly exploited and may lead to a denial of service
attack.
The Potential Information Disclosure in Clientless SSL VPNs
vulnerability may allow an attacker to obtain user and group
credentials if the user interacts with a rogue system or document.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
The following list contains the first fixed software release of each
vulnerability:
+-----------------------------------------------------+
| | | Affected | First |
| Vulnerability | Bug ID | Release | Fixed |
| | | | Release |
|----------------+------------+----------+------------|
| | | 7.0 | 7.0(7)15 |
| | |----------+------------|
| | | 7.1 | 7.1(2)70 |
|Memory | |----------+------------|
| corruption | | 7.2 | Not |
| with traceback | CSCsq07867 | | vulnerable |
|in SIP | |----------+------------|
| inspection | | 8.0 | Not |
| code | | | vulnerable |
| | |----------+------------|
| | | 8.1 | Not |
| | | | vulnerable |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
|Memory | |----------+------------|
| corruption and | | 7.1 | Not |
| traceback when | | | vulnerable |
|inspecting |CSCsq57091 |----------+------------|
| malformed SIP | | 7.2 | 7.2(4)7 |
|packets | |----------+------------|
| | | 8.0 | 8.0(3)20 |
| | |----------+------------|
| | | 8.1 | 8.1(1)8 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| | | 7.1 | Not |
| Device reload | | | vulnerable |
|possible when |CSCsk60581 |----------+------------|
| SIP inspection | | 7.2 | 7.2(3)18 |
|is enabled | |----------+------------|
| | | 8.0 | 8.0(3)8 |
| | |----------+------------|
| | | 8.1 | Not |
| | | | vulnerable |
|----------------+------------+----------+------------|
| | | 7.0 | 7.0(7)16 |
| | |----------+------------|
| | | 7.1 | 7.1(2)71 |
| | |----------+------------|
| Traceback when | | 7.2 | Not |
| processing | CSCsq39315 | | vulnerable |
|malformed SIP | |----------+------------|
| requests | | 8.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| | | 8.1 | Not |
| | | | vulnerable |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| Traceback in | | 7.1 | Not |
| Remote Access | | | vulnerable |
|Authentication |CSCso69942 |----------+------------|
| Code | | 7.2 | 7.2(4)2 |
| | |----------+------------|
| | | 8.0 | 8.0(3)14 |
| | |----------+------------|
| | | 8.1 | 8.1(1)4 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| Crypto memory | | 7.1 | Not |
| leak causing | | | vulnerable |
|Clientless SSL |CSCso66472 |----------+------------|
| VPNs to hang | | 7.2 | 7.2(4)2 |
| | |----------+------------|
| | | 8.0 | 8.0(3)14 |
| | |----------+------------|
| | | 8.1 | 8.1(1)4 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| HTTP | | 7.1 | Not |
| Processing | | | vulnerable |
|Error in |CSCsq19369 |----------+------------|
| Clientless SSL | | 7.2 | Not |
| VPN | | | vulnerable |
|connections | |----------+------------|
| | | 8.0 | 8.0(3)15 |
| | |----------+------------|
| | | 8.1 | 8.1(1)5 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| Potential | | 7.1 | Not |
| Information | | | vulnerable |
|Disclosure in |CSCsq45636 |----------+------------|
| Clientless SSL | | 7.2 | Not |
| VPNs | | | vulnerable |
| | |----------+------------|
| | | 8.0 | 8.0(3)16 |
| | |----------+------------|
| | | 8.1 | 8.1(1)6 |
|-----------------------------+----------+------------|
| | 7.0 | 7.0(7)16 |
| |----------+------------|
| | 7.1 | 7.1(2)72 |
| |----------+------------|
| Recommended Release | 7.2 | 7.2(4)9 |
| |----------+------------|
| | 8.0 | 8.0(4) |
| |----------+------------|
| | 8.1 | 8.1(1)8 |
+-----------------------------------------------------+
Fixed Cisco PIX software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2
Fixed Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2
Workarounds
===========
The following workarounds may help some customers mitigate these
vulnerabilities.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20080903-asa.shtml
Erroneous SIP Processing Vulnerabilities
SIP inspection should be disabled if it is not needed and temporarily
disabling the feature will mitigate the SIP processing
vulnerabilities. SIP inspection can be disabled with the command no
inspect sip.
IPSec Authentication Processing Vulnerability
Use strong group credentials for remote access VPN connections and do
not give out the group credentials to end users.
SSL VPN Memory Leak Vulnerability and URI Processing Error
Vulnerability in SSL VPNs
IPSec clients are not vulnerable to this issue and may be used in
conjunction with strong group credentials until the device can be
upgraded.
Potential Information Disclosure in Clientless SSL VPNs
Client based VPN connections are not vulnerable to the information
disclosure vulnerability. If you are running 8.0(3)15, 8.0(3)16,
8.1(1)4, or 8.1(1)5, you may safely use client based VPN connections as
an alternative to clientless VPNs.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were reported to Cisco by customers that
experienced these issues during normal operation of their equipment
and through internal testing efforts.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-Sept-03 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
iD8DBQFIvsPo86n/Gc8U/uARAmOIAKCcTL2O+3w2mEm0GTe2mcnb0NZ5uQCdG9aV
ldazcXFRcGmkm4g38B67ezM=
=t2NV
-----END PGP SIGNATURE-----
.
Successful exploitation requires valid user credentials.
Successful exploitation requires that a user is tricked into e.g.
visiting a malicious web server or reply to an email.
SOLUTION:
Update to fixed versions (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0317 | CVE-2008-2734 | Cisco ASA of crypto Memory leak vulnerability related to packet processing in functions |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Memory leak in the crypto functionality in Cisco Adaptive Security Appliance (ASA) 5500 devices 7.2 before 7.2(4)2, 8.0 before 8.0(3)14, and 8.1 before 8.1(1)4, when configured as a clientless SSL VPN endpoint, allows remote attackers to cause a denial of service (memory consumption and VPN hang) via a crafted SSL or HTTP packet, aka Bug ID CSCso66472. Cisco PIX and ASA are prone to multiple denial-of-service vulnerabilities and an information-disclosure vulnerability.
An attacker can exploit these issues to obtain sensitive information or cause the affected devices to reload. PIX is a firewall device that provides policy enforcement, multi-vector attack protection and secure connection services for users and applications; Adaptive Security Appliance (ASA) is a modular platform that provides security and VPN services. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Remote Access VPN and SIP Vulnerabilities in
Cisco PIX and Cisco ASA
Advisory ID: cisco-sa-20080903-asa
Revision 1.0
For Public Release 2008 September 3 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive
Security Appliances and Cisco PIX Security Appliances that may result
in a reload of the device or disclosure of confidential information.
This security advisory outlines details of the following
vulnerabilities:
* Erroneous SIP Processing Vulnerabilities
* IPSec Client Authentication Processing Vulnerability
* SSL VPN Memory Leak Vulnerability
* URI Processing Error Vulnerability in SSL VPNs
* Potential Information Disclosure in Clientless VPNs
Note: These vulnerabilities are independent of each other. A device
may be affected by one vulnerability and not affected by another.
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of these
vulnerabilities are available.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
Affected Products
=================
The following paragraphs describe the affected Cisco ASA and Cisco
PIX software versions:
Vulnerable Products
+------------------
The following sections provide details on the versions of Cisco ASA
that are affected by each vulnerability.
The show version command-line interface (CLI) command can be used to
determine if a vulnerable version of the Cisco PIX or Cisco ASA
software is running. The following example shows a Cisco ASA device
that runs software release 8.0(2):
ASA# show version
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(1)
[...]
Customers who use the Cisco Adaptive Security Device Manager (ASDM)
to manage their devices can find their software version displayed in
a table in the login window or in the upper left corner of the ASDM
window.
Erroneous SIP Processing Vulnerabilities
Cisco PIX and Cisco ASA devices configured for SIP inspection are
vulnerable to multiple processing errors that may result in denial of
service attacks.
IPSec Client Authentication Processing Vulnerability
Cisco PIX and Cisco ASA devices that terminate remote access VPN
connections are vulnerable to a denial of service attack if the
device is running software versions prior to 7.2(4)2, 8.0(3)14, and
8.1(1)4.
Potential Information Disclosure in Clientless VPNs
Cisco ASA devices that terminate clientless remote access VPN
connections are vulnerable to potential information disclosure if the
device is running affected 8.0 or 8.1 software versions.
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Firewall Services Module (FWSM) is not affected by any of
these vulnerabilities. Cisco PIX security appliances running software
versions 6.x are not vulnerable. IOS, IOS XR, and Cisco Unified
Boarder Elements (CUBE) are not vulnerable to these issues. No other
Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The following sections provide details to help determine if a device
may be affected by any of the vulnerabilities.
Erroneous SIP Processing Vulnerabilities
Cisco PIX and Cisco ASA devices configured for SIP inspection are
vulnerable to multiple processing errors that may result in denial of
service attacks. A successful
attack may result in a reload of the device.
SIP inspection is enabled with the inspect sip command.
To determine whether the Cisco PIX or Cisco ASA security appliance is
configured to support inspection of sip packets, log in to the device
and issue the CLI command show service-policy | include sip. If the
output contains the text Inspect: sip and some statistics, then the
device has a vulnerable configuration. The following example shows a
vulnerable Cisco ASA Security Appliance:
asa#show service-policy | include sip
Inspect: sip, packet 0, drop 0, reset-drop 0
asa#
These vulnerability is documented in the following Cisco Bug IDs and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2732.
* CSCsq07867
* CSCsq57091
* CSCsk60581
* CSCsq39315
IPSec Client Authentication Processing Vulnerability
Cisco PIX and Cisco ASA devices configured to terminate client based
VPN connections are vulnerable to a crafted authentication processing
vulnerability if they are running software versions 7.2, 8.0, or 8.1.
Devices that run software versions 7.0 or 7.1 are not affected by
this vulnerability.
A successful attack may result in a reload of the device.
Remote access VPN connections will have Internet Security Association
and Key Management Protocol (ISAKMP) enabled on an interface with the
crypto command, such as: crypto isakmp enable outside.
This vulnerability is documented in Cisco Bug ID CSCso69942
and has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2733. A successful attack may result in a reload of the
device.
Cisco ASA devices that run versions 7.2, 8.0, or 8.1 with clientless
SSL VPNs enabled may be affected by this vulnerability. Devices that
run software versions 7.0 and 7.1 are not affected by this
vulnerability.
Clientless VPN, SSL VPN Client, and AnyConnect connections are
enabled via the webvpn command. For example, the following
configuration shows a Cisco ASA with Clientless VPNs configured and
enabled. In this case the ASA will listen for VPN connections on the
default port, TCP port 443:
http server enable
!
webvpn
enable outside
Note that with this particular configuration, the device is
vulnerable to attacks coming from the outside interface due to the
enable outside command within the webvpn group configuration.
These vulnerabilities are documented in Cisco Bug ID CSCso66472
and CSCsq19369. They have been assigned Common Vulnerabilities and
Exposures (CVE) identifiers CVE-2008-2734 and CVE-2008-2735.
Potential Information Disclosure in Clientless VPNs
On Cisco ASA devices configured to terminate clientless VPN
connections, an attacker may be able to discover potentially
sensitive information such as usernames and passwords. This attack
requires an attacker to convince a user to visit a rogue web server,
reply to an e-mail, or interact with a service to successfully
exploit the vulnerability.
Cisco ASA devices running software versions 8.0 or 8.1 with
clientless VPNs enabled may be affected by this vulnerability.
Clientless SSL VPN connections are enabled via the webvpn command.
For example, the following configuration shows a Cisco ASA device
with Clientless VPNs configured and enabled. In this case the Cisco
ASA device will listen for VPN connections on the default port, TCP
port 443:
http server enable
!
webvpn
enable outside
Note that with this particular configuration, the device is
vulnerable to attacks coming from the outside interface due to the
enable outside command within the webvpn group configuration.
This vulnerability is documented in Cisco Bug ID CSCsq45636
and has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2736.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is calculated in accordance with
CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
Erroneous SIP Processing Vulnerabilities
CSCsq07867 - Memory corruption with traceback in SIP inspection code
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsq57091 - Memory corruption and traceback when inspecting malformed SIP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsk60581 - Device reload possible when SIP inspection is enabled
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsq39315 - Traceback when processing malformed SIP requests
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
IPSec Client Authentication Processing Vulnerability
CSCso69942 - Traceback in Remote Access Authentication Code
CVSS Base Score - 6.8
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.6
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
SSL VPN Memory Leak Vulnerability
CSCso66472 - Crypto memory leak causing Clientless SSL VPNs to hang
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
URI Processing Error Vulnerability in SSL VPNs
CSCsq19369 - URI Processing Error in Clientless SSL VPN connections
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Potential Information Disclosure in Clientless VPNs
CSCsq45636 - Potential Information Disclosure in Clientless SSL VPNs
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the Erroneous SIP Processing
Vulnerabilities, IPSec Client Authentication Processing
Vulnerability, SSL VPN Memory Leak Vulnerability, or URI Processing
Error Vulnerability in SSL VPNs may result in the device reloading.
This can be repeatedly exploited and may lead to a denial of service
attack.
The Potential Information Disclosure in Clientless SSL VPNs
vulnerability may allow an attacker to obtain user and group
credentials if the user interacts with a rogue system or document.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
The following list contains the first fixed software release of each
vulnerability:
+-----------------------------------------------------+
| | | Affected | First |
| Vulnerability | Bug ID | Release | Fixed |
| | | | Release |
|----------------+------------+----------+------------|
| | | 7.0 | 7.0(7)15 |
| | |----------+------------|
| | | 7.1 | 7.1(2)70 |
|Memory | |----------+------------|
| corruption | | 7.2 | Not |
| with traceback | CSCsq07867 | | vulnerable |
|in SIP | |----------+------------|
| inspection | | 8.0 | Not |
| code | | | vulnerable |
| | |----------+------------|
| | | 8.1 | Not |
| | | | vulnerable |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
|Memory | |----------+------------|
| corruption and | | 7.1 | Not |
| traceback when | | | vulnerable |
|inspecting |CSCsq57091 |----------+------------|
| malformed SIP | | 7.2 | 7.2(4)7 |
|packets | |----------+------------|
| | | 8.0 | 8.0(3)20 |
| | |----------+------------|
| | | 8.1 | 8.1(1)8 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| | | 7.1 | Not |
| Device reload | | | vulnerable |
|possible when |CSCsk60581 |----------+------------|
| SIP inspection | | 7.2 | 7.2(3)18 |
|is enabled | |----------+------------|
| | | 8.0 | 8.0(3)8 |
| | |----------+------------|
| | | 8.1 | Not |
| | | | vulnerable |
|----------------+------------+----------+------------|
| | | 7.0 | 7.0(7)16 |
| | |----------+------------|
| | | 7.1 | 7.1(2)71 |
| | |----------+------------|
| Traceback when | | 7.2 | Not |
| processing | CSCsq39315 | | vulnerable |
|malformed SIP | |----------+------------|
| requests | | 8.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| | | 8.1 | Not |
| | | | vulnerable |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| Traceback in | | 7.1 | Not |
| Remote Access | | | vulnerable |
|Authentication |CSCso69942 |----------+------------|
| Code | | 7.2 | 7.2(4)2 |
| | |----------+------------|
| | | 8.0 | 8.0(3)14 |
| | |----------+------------|
| | | 8.1 | 8.1(1)4 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| Crypto memory | | 7.1 | Not |
| leak causing | | | vulnerable |
|Clientless SSL |CSCso66472 |----------+------------|
| VPNs to hang | | 7.2 | 7.2(4)2 |
| | |----------+------------|
| | | 8.0 | 8.0(3)14 |
| | |----------+------------|
| | | 8.1 | 8.1(1)4 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| HTTP | | 7.1 | Not |
| Processing | | | vulnerable |
|Error in |CSCsq19369 |----------+------------|
| Clientless SSL | | 7.2 | Not |
| VPN | | | vulnerable |
|connections | |----------+------------|
| | | 8.0 | 8.0(3)15 |
| | |----------+------------|
| | | 8.1 | 8.1(1)5 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| Potential | | 7.1 | Not |
| Information | | | vulnerable |
|Disclosure in |CSCsq45636 |----------+------------|
| Clientless SSL | | 7.2 | Not |
| VPNs | | | vulnerable |
| | |----------+------------|
| | | 8.0 | 8.0(3)16 |
| | |----------+------------|
| | | 8.1 | 8.1(1)6 |
|-----------------------------+----------+------------|
| | 7.0 | 7.0(7)16 |
| |----------+------------|
| | 7.1 | 7.1(2)72 |
| |----------+------------|
| Recommended Release | 7.2 | 7.2(4)9 |
| |----------+------------|
| | 8.0 | 8.0(4) |
| |----------+------------|
| | 8.1 | 8.1(1)8 |
+-----------------------------------------------------+
Fixed Cisco PIX software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2
Fixed Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2
Workarounds
===========
The following workarounds may help some customers mitigate these
vulnerabilities.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20080903-asa.shtml
Erroneous SIP Processing Vulnerabilities
SIP inspection should be disabled if it is not needed and temporarily
disabling the feature will mitigate the SIP processing
vulnerabilities. SIP inspection can be disabled with the command no
inspect sip.
IPSec Authentication Processing Vulnerability
Use strong group credentials for remote access VPN connections and do
not give out the group credentials to end users.
Potential Information Disclosure in Clientless SSL VPNs
Client based VPN connections are not vulnerable to the information
disclosure vulnerability. If you are running 8.0(3)15, 8.0(3)16,
8.1(1)4, or 8.1(1)5, you may safely use client based VPN connections as
an alternative to clientless VPNs.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were reported to Cisco by customers that
experienced these issues during normal operation of their equipment
and through internal testing efforts.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-Sept-03 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
iD8DBQFIvsPo86n/Gc8U/uARAmOIAKCcTL2O+3w2mEm0GTe2mcnb0NZ5uQCdG9aV
ldazcXFRcGmkm4g38B67ezM=
=t2NV
-----END PGP SIGNATURE-----
.
Successful exploitation requires valid user credentials.
Successful exploitation requires that a user is tricked into e.g.
visiting a malicious web server or reply to an email.
SOLUTION:
Update to fixed versions (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0318 | CVE-2008-2735 | Cisco ASA of HTTP On the server URI Service operation disruption related to processing (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The HTTP server in Cisco Adaptive Security Appliance (ASA) 5500 devices 8.0 before 8.0(3)15 and 8.1 before 8.1(1)5, when configured as a clientless SSL VPN endpoint, does not properly process URIs, which allows remote attackers to cause a denial of service (device reload) via a URI in a crafted SSL or HTTP packet, aka Bug ID CSCsq19369. Cisco PIX and ASA are prone to multiple denial-of-service vulnerabilities and an information-disclosure vulnerability.
An attacker can exploit these issues to obtain sensitive information or cause the affected devices to reload. PIX is a firewall device that provides policy enforcement, multi-vector attack protection and secure connection services for users and applications; Adaptive Security Appliance (ASA) is a modular platform that provides security and VPN services. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Remote Access VPN and SIP Vulnerabilities in
Cisco PIX and Cisco ASA
Advisory ID: cisco-sa-20080903-asa
Revision 1.0
For Public Release 2008 September 3 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive
Security Appliances and Cisco PIX Security Appliances that may result
in a reload of the device or disclosure of confidential information.
This security advisory outlines details of the following
vulnerabilities:
* Erroneous SIP Processing Vulnerabilities
* IPSec Client Authentication Processing Vulnerability
* SSL VPN Memory Leak Vulnerability
* URI Processing Error Vulnerability in SSL VPNs
* Potential Information Disclosure in Clientless VPNs
Note: These vulnerabilities are independent of each other. A device
may be affected by one vulnerability and not affected by another.
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of these
vulnerabilities are available.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
Affected Products
=================
The following paragraphs describe the affected Cisco ASA and Cisco
PIX software versions:
Vulnerable Products
+------------------
The following sections provide details on the versions of Cisco ASA
that are affected by each vulnerability.
The show version command-line interface (CLI) command can be used to
determine if a vulnerable version of the Cisco PIX or Cisco ASA
software is running. The following example shows a Cisco ASA device
that runs software release 8.0(2):
ASA# show version
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(1)
[...]
Customers who use the Cisco Adaptive Security Device Manager (ASDM)
to manage their devices can find their software version displayed in
a table in the login window or in the upper left corner of the ASDM
window.
Erroneous SIP Processing Vulnerabilities
Cisco PIX and Cisco ASA devices configured for SIP inspection are
vulnerable to multiple processing errors that may result in denial of
service attacks.
IPSec Client Authentication Processing Vulnerability
Cisco PIX and Cisco ASA devices that terminate remote access VPN
connections are vulnerable to a denial of service attack if the
device is running software versions prior to 7.2(4)2, 8.0(3)14, and
8.1(1)4.
Potential Information Disclosure in Clientless VPNs
Cisco ASA devices that terminate clientless remote access VPN
connections are vulnerable to potential information disclosure if the
device is running affected 8.0 or 8.1 software versions.
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Firewall Services Module (FWSM) is not affected by any of
these vulnerabilities. Cisco PIX security appliances running software
versions 6.x are not vulnerable. IOS, IOS XR, and Cisco Unified
Boarder Elements (CUBE) are not vulnerable to these issues. No other
Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The following sections provide details to help determine if a device
may be affected by any of the vulnerabilities.
Erroneous SIP Processing Vulnerabilities
Cisco PIX and Cisco ASA devices configured for SIP inspection are
vulnerable to multiple processing errors that may result in denial of
service attacks. A successful
attack may result in a reload of the device.
SIP inspection is enabled with the inspect sip command.
To determine whether the Cisco PIX or Cisco ASA security appliance is
configured to support inspection of sip packets, log in to the device
and issue the CLI command show service-policy | include sip. If the
output contains the text Inspect: sip and some statistics, then the
device has a vulnerable configuration. The following example shows a
vulnerable Cisco ASA Security Appliance:
asa#show service-policy | include sip
Inspect: sip, packet 0, drop 0, reset-drop 0
asa#
These vulnerability is documented in the following Cisco Bug IDs and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2732.
* CSCsq07867
* CSCsq57091
* CSCsk60581
* CSCsq39315
IPSec Client Authentication Processing Vulnerability
Cisco PIX and Cisco ASA devices configured to terminate client based
VPN connections are vulnerable to a crafted authentication processing
vulnerability if they are running software versions 7.2, 8.0, or 8.1.
Devices that run software versions 7.0 or 7.1 are not affected by
this vulnerability.
A successful attack may result in a reload of the device.
Remote access VPN connections will have Internet Security Association
and Key Management Protocol (ISAKMP) enabled on an interface with the
crypto command, such as: crypto isakmp enable outside.
This vulnerability is documented in Cisco Bug ID CSCso69942
and has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2733. A successful attack may result in a reload of the
device.
Cisco ASA devices that run versions 7.2, 8.0, or 8.1 with clientless
SSL VPNs enabled may be affected by this vulnerability. Devices that
run software versions 7.0 and 7.1 are not affected by this
vulnerability.
Clientless VPN, SSL VPN Client, and AnyConnect connections are
enabled via the webvpn command. For example, the following
configuration shows a Cisco ASA with Clientless VPNs configured and
enabled. In this case the ASA will listen for VPN connections on the
default port, TCP port 443:
http server enable
!
webvpn
enable outside
Note that with this particular configuration, the device is
vulnerable to attacks coming from the outside interface due to the
enable outside command within the webvpn group configuration.
These vulnerabilities are documented in Cisco Bug ID CSCso66472
and CSCsq19369. They have been assigned Common Vulnerabilities and
Exposures (CVE) identifiers CVE-2008-2734 and CVE-2008-2735.
Potential Information Disclosure in Clientless VPNs
On Cisco ASA devices configured to terminate clientless VPN
connections, an attacker may be able to discover potentially
sensitive information such as usernames and passwords. This attack
requires an attacker to convince a user to visit a rogue web server,
reply to an e-mail, or interact with a service to successfully
exploit the vulnerability.
Cisco ASA devices running software versions 8.0 or 8.1 with
clientless VPNs enabled may be affected by this vulnerability.
Clientless SSL VPN connections are enabled via the webvpn command.
For example, the following configuration shows a Cisco ASA device
with Clientless VPNs configured and enabled. In this case the Cisco
ASA device will listen for VPN connections on the default port, TCP
port 443:
http server enable
!
webvpn
enable outside
Note that with this particular configuration, the device is
vulnerable to attacks coming from the outside interface due to the
enable outside command within the webvpn group configuration.
This vulnerability is documented in Cisco Bug ID CSCsq45636
and has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-2736.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is calculated in accordance with
CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
Erroneous SIP Processing Vulnerabilities
CSCsq07867 - Memory corruption with traceback in SIP inspection code
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsq57091 - Memory corruption and traceback when inspecting malformed SIP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsk60581 - Device reload possible when SIP inspection is enabled
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsq39315 - Traceback when processing malformed SIP requests
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
IPSec Client Authentication Processing Vulnerability
CSCso69942 - Traceback in Remote Access Authentication Code
CVSS Base Score - 6.8
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.6
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
SSL VPN Memory Leak Vulnerability
CSCso66472 - Crypto memory leak causing Clientless SSL VPNs to hang
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
URI Processing Error Vulnerability in SSL VPNs
CSCsq19369 - URI Processing Error in Clientless SSL VPN connections
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Potential Information Disclosure in Clientless VPNs
CSCsq45636 - Potential Information Disclosure in Clientless SSL VPNs
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the Erroneous SIP Processing
Vulnerabilities, IPSec Client Authentication Processing
Vulnerability, SSL VPN Memory Leak Vulnerability, or URI Processing
Error Vulnerability in SSL VPNs may result in the device reloading.
This can be repeatedly exploited and may lead to a denial of service
attack.
The Potential Information Disclosure in Clientless SSL VPNs
vulnerability may allow an attacker to obtain user and group
credentials if the user interacts with a rogue system or document.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
The following list contains the first fixed software release of each
vulnerability:
+-----------------------------------------------------+
| | | Affected | First |
| Vulnerability | Bug ID | Release | Fixed |
| | | | Release |
|----------------+------------+----------+------------|
| | | 7.0 | 7.0(7)15 |
| | |----------+------------|
| | | 7.1 | 7.1(2)70 |
|Memory | |----------+------------|
| corruption | | 7.2 | Not |
| with traceback | CSCsq07867 | | vulnerable |
|in SIP | |----------+------------|
| inspection | | 8.0 | Not |
| code | | | vulnerable |
| | |----------+------------|
| | | 8.1 | Not |
| | | | vulnerable |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
|Memory | |----------+------------|
| corruption and | | 7.1 | Not |
| traceback when | | | vulnerable |
|inspecting |CSCsq57091 |----------+------------|
| malformed SIP | | 7.2 | 7.2(4)7 |
|packets | |----------+------------|
| | | 8.0 | 8.0(3)20 |
| | |----------+------------|
| | | 8.1 | 8.1(1)8 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| | | 7.1 | Not |
| Device reload | | | vulnerable |
|possible when |CSCsk60581 |----------+------------|
| SIP inspection | | 7.2 | 7.2(3)18 |
|is enabled | |----------+------------|
| | | 8.0 | 8.0(3)8 |
| | |----------+------------|
| | | 8.1 | Not |
| | | | vulnerable |
|----------------+------------+----------+------------|
| | | 7.0 | 7.0(7)16 |
| | |----------+------------|
| | | 7.1 | 7.1(2)71 |
| | |----------+------------|
| Traceback when | | 7.2 | Not |
| processing | CSCsq39315 | | vulnerable |
|malformed SIP | |----------+------------|
| requests | | 8.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| | | 8.1 | Not |
| | | | vulnerable |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| Traceback in | | 7.1 | Not |
| Remote Access | | | vulnerable |
|Authentication |CSCso69942 |----------+------------|
| Code | | 7.2 | 7.2(4)2 |
| | |----------+------------|
| | | 8.0 | 8.0(3)14 |
| | |----------+------------|
| | | 8.1 | 8.1(1)4 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| Crypto memory | | 7.1 | Not |
| leak causing | | | vulnerable |
|Clientless SSL |CSCso66472 |----------+------------|
| VPNs to hang | | 7.2 | 7.2(4)2 |
| | |----------+------------|
| | | 8.0 | 8.0(3)14 |
| | |----------+------------|
| | | 8.1 | 8.1(1)4 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| HTTP | | 7.1 | Not |
| Processing | | | vulnerable |
|Error in |CSCsq19369 |----------+------------|
| Clientless SSL | | 7.2 | Not |
| VPN | | | vulnerable |
|connections | |----------+------------|
| | | 8.0 | 8.0(3)15 |
| | |----------+------------|
| | | 8.1 | 8.1(1)5 |
|----------------+------------+----------+------------|
| | | 7.0 | Not |
| | | | vulnerable |
| | |----------+------------|
| Potential | | 7.1 | Not |
| Information | | | vulnerable |
|Disclosure in |CSCsq45636 |----------+------------|
| Clientless SSL | | 7.2 | Not |
| VPNs | | | vulnerable |
| | |----------+------------|
| | | 8.0 | 8.0(3)16 |
| | |----------+------------|
| | | 8.1 | 8.1(1)6 |
|-----------------------------+----------+------------|
| | 7.0 | 7.0(7)16 |
| |----------+------------|
| | 7.1 | 7.1(2)72 |
| |----------+------------|
| Recommended Release | 7.2 | 7.2(4)9 |
| |----------+------------|
| | 8.0 | 8.0(4) |
| |----------+------------|
| | 8.1 | 8.1(1)8 |
+-----------------------------------------------------+
Fixed Cisco PIX software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2
Fixed Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2
Workarounds
===========
The following workarounds may help some customers mitigate these
vulnerabilities.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20080903-asa.shtml
Erroneous SIP Processing Vulnerabilities
SIP inspection should be disabled if it is not needed and temporarily
disabling the feature will mitigate the SIP processing
vulnerabilities. SIP inspection can be disabled with the command no
inspect sip.
IPSec Authentication Processing Vulnerability
Use strong group credentials for remote access VPN connections and do
not give out the group credentials to end users.
SSL VPN Memory Leak Vulnerability and URI Processing Error
Vulnerability in SSL VPNs
IPSec clients are not vulnerable to this issue and may be used in
conjunction with strong group credentials until the device can be
upgraded.
Potential Information Disclosure in Clientless SSL VPNs
Client based VPN connections are not vulnerable to the information
disclosure vulnerability. If you are running 8.0(3)15, 8.0(3)16,
8.1(1)4, or 8.1(1)5, you may safely use client based VPN connections as
an alternative to clientless VPNs.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were reported to Cisco by customers that
experienced these issues during normal operation of their equipment
and through internal testing efforts.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-Sept-03 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
iD8DBQFIvsPo86n/Gc8U/uARAmOIAKCcTL2O+3w2mEm0GTe2mcnb0NZ5uQCdG9aV
ldazcXFRcGmkm4g38B67ezM=
=t2NV
-----END PGP SIGNATURE-----
.
Successful exploitation requires valid user credentials.
Successful exploitation requires that a user is tricked into e.g.
visiting a malicious web server or reply to an email.
SOLUTION:
Update to fixed versions (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0176 | CVE-2008-3530 | IPv6 implementations insecurely update Forwarding Information Base |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
sys/netinet6/icmp6.c in the kernel in FreeBSD 6.3 through 7.1, NetBSD 3.0 through 4.0, and possibly other operating systems does not properly check the proposed new MTU in an ICMPv6 Packet Too Big Message, which allows remote attackers to cause a denial of service (panic) via a crafted Packet Too Big Message. A vulnerability in some implementations of the IPv6 Neighbor Discovery Protocol may allow a nearby attacker to intercept traffic or cause congested links to become overloaded. FreeBSD is prone to a remote denial-of-service vulnerability.
Remote attackers can exploit this issue to cause the kernel's TCP stack to panic, denying service to legitimate users. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08:09.icmp6 Security Advisory
The FreeBSD Project
Topic: Remote kernel panics on IPv6 connections
Category: core
Module: sys_netinet6
Announced: 2008-09-03
Credits: Tom Parker, Bjoern A. Zeeb
Affects: All supported versions of FreeBSD.
Corrected: 2008-09-03 19:09:47 UTC (RELENG_7, 7.1-PRERELEASE)
2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4)
2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE)
2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4)
CVE Name: CVE-2008-3530
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
IPv6 nodes use ICMPv6 amongst other things to report errors encountered
while processing packets. The 'Packet Too Big Message' is sent in
case a node cannot forward a packet because the size of the packet is
larger than the MTU of next-hop link.
II.
III. Workaround
Systems without INET6 / IPv6 support are not vulnerable and neither
are systems which do not listen on any IPv6 TCP sockets and have no
active IPv6 connections.
Filter ICMPv6 'Packet Too Big Messages' using a firewall, but this
will at the same time break PMTU support for IPv6 connections.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 6-STABLE or 7-STABLE, or to the
RELENG_6_3 or RELENG_7_0 security branch dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 6.3 and
FreeBSD 7.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-08:09/icmp6.patch
# fetch http://security.FreeBSD.org/patches/SA-08:09/icmp6.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/netinet6/icmp6.c 1.62.2.11
RELENG_6_3
src/UPDATING 1.416.2.37.2.9
src/sys/conf/newvers.sh 1.69.2.15.2.8
src/sys/netinet6/icmp6.c 1.62.2.9.2.1
RELENG_7
src/sys/netinet6/icmp6.c 1.80.2.7
RELENG_7_0
src/UPDATING 1.507.2.3.2.8
src/sys/conf/newvers.sh 1.72.2.5.2.8
src/sys/netinet6/icmp6.c 1.80.4.1
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3530
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:09.icmp6.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iD8DBQFIvu2hFdaIBMps37IRAjxxAJwIIXP+ALAZkvG5m687PC+92BtXTwCfUZdS
AvvrO0r+UAa6bn1H9mFf9So=
=MBB1
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
FreeBSD IPv6 Neighbor Discovery Protocol Neighbor Solicitation
Vulnerability
SECUNIA ADVISORY ID:
SA32112
VERIFY ADVISORY:
http://secunia.com/advisories/32112/
CRITICAL:
Less critical
IMPACT:
Spoofing, Exposure of sensitive information, DoS
WHERE:
>From local network
OPERATING SYSTEM:
FreeBSD 6.x
http://secunia.com/advisories/product/6778/
DESCRIPTION:
A vulnerability has been reported in FreeBSD, which can be exploited
by malicious people to conduct spoofing attacks, disclose potentially
sensitive information, or to cause a DoS (Denial of Service). This can be exploited to add a fake entry to the router's
neighbor cache via a neighbor solicitation request containing a
spoofed IPv6 address.
Successful exploitation may allow the interception or disruption of
network traffic, but requires that the IPv6 nodes involved in the
attack are using the same router.
Fixed versions:
2008-10-01 00:32:59 UTC (RELENG_7, 7.1-PRERELEASE)
2008-10-01 00:32:59 UTC (RELENG_7_0, 7.0-RELEASE-p5)
2008-10-01 00:32:59 UTC (RELENG_6, 6.4-PRERELEASE)
2008-10-01 00:32:59 UTC (RELENG_6_3, 6.3-RELEASE-p5)
Patch for FreeBSD 6.3:
http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch
http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch.asc
Patch for FreeBSD 7.0:
http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch
http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch.asc
PROVIDED AND/OR DISCOVERED BY:
The vendor credits David Miles.
ORIGINAL ADVISORY:
http://security.freebsd.org/advisories/FreeBSD-SA-08:10.nd6.asc
OTHER REFERENCES:
US-CERT VU#472363:
http://www.kb.cert.org/vuls/id/472363
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0335 | CVE-2008-3900 | Intel Vulnerabilities that can capture important information in firmware |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Intel firmware PE94510M.86A.0050.2007.0710.1559 stores pre-boot authentication passwords in the BIOS Keyboard buffer and does not clear this buffer after use, which allows local users to obtain sensitive information by reading the physical memory locations associated with this buffer. Bios is prone to a information disclosure vulnerability. Intel firmware PE94510M is intel's bios update applet. information
| VAR-200809-0312 | CVE-2008-1739 | Apple QuickTime Service disruption in (DoS) Vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Apple QuickTime before 7.4.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted ftyp atoms in a movie file, which triggers memory corruption. QuickTime Player is prone to a denial-of-service vulnerability. QuickTime is a powerful audio and video player produced by Apple Inc. It also triggers memory corruption
| VAR-200908-0199 | CVE-2008-6992 | GreenSQL Firewall In SQL Vulnerabilities that bypass the injection protection mechanism |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
GreenSQL Firewall (greensql-fw), possibly before 0.9.2 or 0.9.4, allows remote attackers to bypass the SQL injection protection mechanism via a WHERE clause containing an expression such as "x=y=z", which is successfully parsed by MySQL. GreenSQL Firewall is prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass certain security restrictions. Successfully exploiting this issue may aid in SQL attacks on the underlying application. The vulnerability has been successfully parsed by MySQL
| VAR-200908-0200 | CVE-2008-6993 | Siemens Gigaset WLAN Camera Password Leak Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Siemens Gigaset WLAN Camera 1.27 has an insecure default password, which allows remote attackers to conduct unauthorized activities. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Siemens Gigaset WLAN Camera is reported prone to an insecure-default-password vulnerability.
A remote attacker with knowledge of the default credentials may exploit this vulnerability to gain unauthorized access to the application
| VAR-200903-0061 | CVE-2008-6395 | 3Com Wireless 8760 Dual-Radio 11a/b/g PoE HTTP POST Request Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The web management interface in 3Com Wireless 8760 Dual Radio 11a/b/g PoE Access Point allows remote attackers to cause a denial of service (device crash) via a malformed HTTP POST request. 3Com Wireless 8760 Dual-Radio 11a/b/g PoE Access Point is prone to a denial-of-service vulnerability.
Successfully exploiting this issue will allow attackers to crash the affected application, denying service to legitimate users.
SOLUTION:
Restrict network access to the web management interface.
PROVIDED AND/OR DISCOVERED BY:
Brandon Shilling and r@b13$, Digital Defense, Inc. Vulnerability
Research Team
ORIGINAL ADVISORY:
DDIVRT-2008-14:
http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064226.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0342 | CVE-2008-3876 | Apple iPhone Vulnerable to access restrictions |
CVSS V2: 1.9 CVSS V3: - Severity: LOW |
Apple iPhone 2.0.2, in some configurations, allows physically proximate attackers to bypass intended access restrictions, and obtain sensitive information or make arbitrary use of the device, via an Emergency Call tap and a Home double-tap, followed by a tap of any contact's blue arrow. Iphone is prone to a information disclosure vulnerability. Apple Iphone is an epoch-making mobile phone terminal launched by Apple Inc. that supports multi-touch
| VAR-200809-0456 | No CVE | Parallels Plesk Shortnames Feature Mail Relay Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Plesk is a comprehensive control panel solution for managing sites.
If SHORTNAMES = 1 is enabled for email login in Plesk, QMAIL will accept any base64-encoded username starting with a valid shortname during AUTH LOGIN authentication. This allows an attacker to log in to mail or other services protected by the plesk authentication module and relay spam through the smtp authentication permissions obtained.
You must remove SHORTNAMES = 1 from smtp (s) _psa to fix this problem, just setting it to 0 cannot solve it.
| VAR-200809-0406 | CVE-2008-3101 |
vtiger CRM Multiple Cross-Site Scripting Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200809-0435, VAR-E-200809-0436 |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an Authenticate action to the Users module, as reachable through index.php; or (3) the query_string parameter in a UnifiedSearch action to the Home module, as reachable through index.php. vtiger CRM Contains a cross-site scripting vulnerability.Any third party, through the following parameters, Web Script or HTML May be inserted. vtiger CRM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
vtiger CRM 5.0.4 is vulnerable; other versions may also be affected. There is a cross-site scripting vulnerability in the Activities module of vtiger CRM version 5.0.4. NOTE: The query_string vector has been covered by CVE-2008-3101.3. The application is vulnerable to simple Cross Site Scripting,
which can be used for several isues
Example
Assuming vtigerCRM is installed on http://localhost/vtigercrm/, one can
inject JavaScript with:
http://localhost/vtigercrm/index.php?module=Products&action=index&parenttab="><script>alert(1);</script>
http://localhost/vtigercrm/index.php?module=Users&action=Authenticate&user_password="><script>alert(1);</script>
http://localhost/vtigercrm/index.php?module=Home&action=UnifiedSearch&query_string="><script>alert(1);</script>
Workaround/Fix
vtiger CRM Security Patch for 5.0.4 [1]
Disclosure Timeline
2008-07-28 Vendor contacted
2008-07-28 Vendor fixed issue in test environment
2008-07-30 Vender released patch
2008-07-30 Vendor dev statet they'll release a second patch within days
2008-09-01 published advisory, no second patch from upstream yet
CVE Information
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-3101 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems. Credits and copyright
This vulnerability was discovered by Fabian Fingerle [2] (published with
help from Hanno Boeck [3]). It's licensed under the creative
commons attribution license [4].
Fabian Fingerle, 2008-09-01
[1] http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1[action]=getviewdetailsfordownload&tx_abdownloads_pi1[uid]=128&tx_abdownloads_pi1[category_uid]=5&cHash=e16be773a5
[2] http://www.fabian-fingerle.de
[3] http://www.hboeck.de
[4] http://creativecommons.org/licenses/by/3.0/de/
--
_GPG_ 3D17 CAC8 1955 1908 65ED 5C51 FDA3 6A09 AB41 AB85
_chaos events near stuttgart_ www.datensalat.eu
.
Successful exploitation of this vulnerability requires that the
target user has valid user credentials.
The vulnerabilities are confirmed in version 5.0.4.
SOLUTION:
Apply the vendor's official patch:
http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1%5Baction%5D=getviewdetailsfordownload&tx_abdownloads_pi1%5Buid%5D=128&tx_abdownloads_pi1%5Bcategory_uid%5D=5&cHash=e16be773a5
PROVIDED AND/OR DISCOVERED BY:
Fabian Fingerle
ORIGINAL ADVISORY:
http://www.datensalat.eu/~fabian/cve/CVE-2008-3101-vtigerCRM.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------