VARIoT IoT vulnerabilities database
| VAR-200904-0266 | CVE-2009-0980 |
Oracle Database of SQLX Functions Component vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200904-0197, VAR-E-200904-0196 |
CVSS V2: 5.5 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the SQLX Functions component in Oracle Database 10.2.0.3 and 11.1.0.6 allows remote authenticated users to affect integrity and availability, related to AGGXQIMP. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:
Oracle Database
Oracle Audit Vault
Oracle Application Server
Oracle Outside In SDK HTML Export
Oracle XML Publisher
Oracle BI Publisher
Oracle E-Business Suite
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Data Service Integrator
Oracle AquaLogic Data Services Platform
Oracle JRockit. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
For more information see vulnerability #6 through #9 in:
SA34693
SOLUTION:
The vendor recommends to delete the GdFileConv.exe file. See vendor's
advisory for additional details.
Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include
remote execution of arbitrary code, information disclosure, and
denial of service.
I. Description
The Oracle Critical Patch Update Advisory - April 2009 addresses 43
vulnerabilities in various Oracle products and components. The
document provides information about affected components, access and
authorization required for successful exploitation, and the impact
from the vulnerabilities on data confidentiality, integrity, and
availability.
Oracle has associated CVE identifiers with the vulnerabilities
addressed in this Critical Patch Update. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.
II. Impact
The impact of these vulnerabilities varies depending on the
product, component, and configuration of the system. Potential
consequences include the execution of arbitrary code or commands,
information disclosure, and denial of service. Vulnerable
components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to
access sensitive information.
III. Solution
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update Advisory - April 2009. Note that this
document only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
IV. References
* Oracle Critical Patch Update Advisory - April 2009 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-105A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
April 15, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4
2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do
dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM
h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy
11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU
bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==
=kziE
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Some have unknown impacts, others can be exploited by malicious users
to conduct SQL injection attacks or disclose sensitive information,
and by malicious people compromise a vulnerable system.
1) A format string error exists within the Oracle Process Manager and
Notification (opmn) daemon, which can be exploited to execute
arbitrary code via a specially crafted POST request to port
6000/TCP.
2) Input passed to the "DBMS_AQIN" package is not properly sanitised
before being used. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
3) An error in the Application Express component included in Oracle
Database can be exploited by unprivileged database users to disclose
APEX password hashes in "LOWS_030000.WWV_FLOW_USER".
The remaining vulnerabilities are caused due to unspecified errors.
No more information is currently available.
PROVIDED AND/OR DISCOVERED BY:
1) Joxean Koret of TippingPoint
2, 3) Alexander Kornbrust of Red Database Security
The vendor also credits:
* Joshua J. Drake of iDefense
* Gerhard Eschelbeck of Qualys, Inc.
* Esteban Martinez Fayo of Application Security, Inc.
* Franz Huell of Red Database Security;
* Mike Janowski of Neohapsis, Inc.
* Joxean Koret
* David Litchfield of NGS Software
* Tanel Poder
* Sven Vetter of Trivadis
* Dennis Yurichev
ORIGINAL ADVISORY:
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-017/
Red Database Security:
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
http://www.red-database-security.com/advisory/apex_password_hashes.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200904-0273 | CVE-2009-0988 |
Oracle Database of Password Policy Component vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200904-0197, VAR-E-200904-0196 |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Unspecified vulnerability in the Password Policy component in Oracle Database 11.1.0.6 allows remote authenticated users to affect confidentiality via unknown vectors. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:
Oracle Database
Oracle Audit Vault
Oracle Application Server
Oracle Outside In SDK HTML Export
Oracle XML Publisher
Oracle BI Publisher
Oracle E-Business Suite
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Data Service Integrator
Oracle AquaLogic Data Services Platform
Oracle JRockit. Many security standards require the tracking of users' password history to
prevent password re-use. In Oracle 11g (11.1.0.6), if a security
administrator has enabled 11g passwords exclusively then tracking password
history is broken. This can affect compliance. This was addressed by Oracle
in their April 2009 Critical Patch Update and maps to the currently
unspecified vulnerability at
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0988
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
--
E-MAIL DISCLAIMER
The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.
The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.
NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: Manchester Technology Centre,
Oxford Road, Manchester, M1 7EF with Company Number 04225835 and
VAT Number 783096402
. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
For more information see vulnerability #6 through #9 in:
SA34693
SOLUTION:
The vendor recommends to delete the GdFileConv.exe file. See vendor's
advisory for additional details.
Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include
remote execution of arbitrary code, information disclosure, and
denial of service.
I. Description
The Oracle Critical Patch Update Advisory - April 2009 addresses 43
vulnerabilities in various Oracle products and components. The
document provides information about affected components, access and
authorization required for successful exploitation, and the impact
from the vulnerabilities on data confidentiality, integrity, and
availability.
Oracle has associated CVE identifiers with the vulnerabilities
addressed in this Critical Patch Update. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.
II. Impact
The impact of these vulnerabilities varies depending on the
product, component, and configuration of the system. Potential
consequences include the execution of arbitrary code or commands,
information disclosure, and denial of service. Vulnerable
components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to
access sensitive information.
III. Solution
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update Advisory - April 2009. Note that this
document only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
IV. References
* Oracle Critical Patch Update Advisory - April 2009 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-105A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
April 15, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4
2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do
dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM
h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy
11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU
bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==
=kziE
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Some have unknown impacts, others can be exploited by malicious users
to conduct SQL injection attacks or disclose sensitive information,
and by malicious people compromise a vulnerable system.
1) A format string error exists within the Oracle Process Manager and
Notification (opmn) daemon, which can be exploited to execute
arbitrary code via a specially crafted POST request to port
6000/TCP.
2) Input passed to the "DBMS_AQIN" package is not properly sanitised
before being used. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
The remaining vulnerabilities are caused due to unspecified errors.
No more information is currently available.
PROVIDED AND/OR DISCOVERED BY:
1) Joxean Koret of TippingPoint
2, 3) Alexander Kornbrust of Red Database Security
The vendor also credits:
* Joshua J. Drake of iDefense
* Gerhard Eschelbeck of Qualys, Inc.
* Esteban Martinez Fayo of Application Security, Inc.
* Franz Huell of Red Database Security;
* Mike Janowski of Neohapsis, Inc.
* Joxean Koret
* David Litchfield of NGS Software
* Tanel Poder
* Sven Vetter of Trivadis
* Dennis Yurichev
ORIGINAL ADVISORY:
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-017/
Red Database Security:
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
http://www.red-database-security.com/advisory/apex_password_hashes.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200904-0268 | CVE-2009-0982 |
Oracle PeopleSoft Enterprise Of products such as PeopleSoft Enterprise PeopleTools Component vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200904-0197, VAR-E-200904-0196 |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.49.19 allows remote authenticated users to affect integrity via unknown vectors. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:
Oracle Database
Oracle Audit Vault
Oracle Application Server
Oracle Outside In SDK HTML Export
Oracle XML Publisher
Oracle BI Publisher
Oracle E-Business Suite
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Data Service Integrator
Oracle AquaLogic Data Services Platform
Oracle JRockit. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
For more information see vulnerability #6 through #9 in:
SA34693
SOLUTION:
The vendor recommends to delete the GdFileConv.exe file. See vendor's
advisory for additional details.
Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include
remote execution of arbitrary code, information disclosure, and
denial of service.
I. Description
The Oracle Critical Patch Update Advisory - April 2009 addresses 43
vulnerabilities in various Oracle products and components. The
document provides information about affected components, access and
authorization required for successful exploitation, and the impact
from the vulnerabilities on data confidentiality, integrity, and
availability.
Oracle has associated CVE identifiers with the vulnerabilities
addressed in this Critical Patch Update. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.
II. Impact
The impact of these vulnerabilities varies depending on the
product, component, and configuration of the system. Potential
consequences include the execution of arbitrary code or commands,
information disclosure, and denial of service. Vulnerable
components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to
access sensitive information.
III. Solution
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update Advisory - April 2009. Note that this
document only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
IV. References
* Oracle Critical Patch Update Advisory - April 2009 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-105A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
April 15, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4
2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do
dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM
h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy
11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU
bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==
=kziE
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Some have unknown impacts, others can be exploited by malicious users
to conduct SQL injection attacks or disclose sensitive information,
and by malicious people compromise a vulnerable system.
1) A format string error exists within the Oracle Process Manager and
Notification (opmn) daemon, which can be exploited to execute
arbitrary code via a specially crafted POST request to port
6000/TCP.
2) Input passed to the "DBMS_AQIN" package is not properly sanitised
before being used. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
3) An error in the Application Express component included in Oracle
Database can be exploited by unprivileged database users to disclose
APEX password hashes in "LOWS_030000.WWV_FLOW_USER".
The remaining vulnerabilities are caused due to unspecified errors.
No more information is currently available.
PROVIDED AND/OR DISCOVERED BY:
1) Joxean Koret of TippingPoint
2, 3) Alexander Kornbrust of Red Database Security
The vendor also credits:
* Joshua J. Drake of iDefense
* Gerhard Eschelbeck of Qualys, Inc.
* Esteban Martinez Fayo of Application Security, Inc.
* Franz Huell of Red Database Security;
* Mike Janowski of Neohapsis, Inc.
* Joxean Koret
* David Litchfield of NGS Software
* Tanel Poder
* Sven Vetter of Trivadis
* Dennis Yurichev
ORIGINAL ADVISORY:
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-017/
Red Database Security:
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
http://www.red-database-security.com/advisory/apex_password_hashes.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200904-0429 | CVE-2009-1009 |
Oracle Application Server of Outside In Technology Component vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200904-0197, VAR-E-200904-0196 |
CVSS V2: 4.4 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the Outside In Technology component in Oracle Application Server 8.1.9 allows local users to affect confidentiality, integrity, and availability, related to HTML. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:
Oracle Database
Oracle Audit Vault
Oracle Application Server
Oracle Outside In SDK HTML Export
Oracle XML Publisher
Oracle BI Publisher
Oracle E-Business Suite
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Data Service Integrator
Oracle AquaLogic Data Services Platform
Oracle JRockit. Oracle Outside In is prone to multiple buffer-overflow vulnerabilities because the software fails to properly bounds-check user-supplied input.
An attacker can exploit these issue by tricking a victim into opening a specially crafted file with an application using the affected library. Successful exploits will allow arbitrary code to run in the context of the user running the affected application.
NOTE: These issues were previously covered in BID 34461 (Oracle April 2009 Critical Patch Update Multiple Vulnerabilities), but have been given their own record to better document them. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
For more information see vulnerability #6 through #9 in:
SA34693
SOLUTION:
The vendor recommends to delete the GdFileConv.exe file. See vendor's
advisory for additional details. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDefense Security Advisory 05.14.09
http://labs.idefense.com/intelligence/vulnerabilities/
May 14, 2009
I. BACKGROUND
Oracle Corp.'s Outside In Technology is a document conversion engine
supporting a large number of binary file formats. Prior to Oracle's
acquisition, the software was maintained by Stellent Inc. The software
appears to have originated from "QuickView" for Windows 98, but later
spun off. It is used by various software packages, one of which is
Motorola Inc.'s Good Mobile Messaging Server. For more information,
visit the vendors' sites at the URLs provided below.
http://www.oracle.com/technology/products/content-management/oit/oit_all.html
http://www.good.com/corp/index.php
II. DESCRIPTION
Remote exploitation of multiple buffer overflow vulnerabilities in
Oracle Corp.'s Outside In Technology, as included in various vendors'
software distributions, allow attackers to execute arbitrary code.
Two vulnerabilities exist due to a lack of bounds checking when
processing specially crafted Microsoft Excel spreadsheet files. The two
issues exist in two distinct functions. The two vulnerabilities are
nearly identical, with the differentiating factor being the value of a
flag bit within a record of the file. If the bit is set, the code path
to the first vulnerable function is taken. Otherwise, the code path to
the second vulnerable function is taken.
The cause of the vulnerability is the same in each case. An array of
structures, stored on the stack, is manipulated in a loop without
validating the bounds of the array. By crafting a file containing a
properly malformed record, it is possible to write outside the bounds
of this array. The resulting stack corruption can lead to arbitrary
code execution.
III. ANALYSIS
Exploitation of these vulnerabilities allows attackers to execute
arbitrary code. In order to exploit these vulnerabilities, the attacker
must somehow supply a malformed document to an application that will
process the document with Outside In Technology. Likewise, the
privileges gained will also depend on the software using the library.
In the case of Good Mobile Messaging Server, an attacker can send an
electronic mail message with an Excel spreadsheet attachment to a user.
When the user chooses to view the spreadsheet, the vulnerable condition
will be triggered. Upon successful exploitation, the attacker will gain
the privileges of the "GoodAdmin" user. This is a special user account
which, in some configurations, may be a member of the "Administrator"
group. Regardless of the user's "Administrator" status, the user will
always have full privileges to "Read" and "Send As" all users on the
Microsoft Exchange server. This could allow an attacker to conduct
further social engineering attacks.
Other software packages using Outside In were not investigated.
IV. DETECTION
iDefense confirmed the existence of these vulnerabilities using the
follow versions of Outside In on Windows Server 2003 SP2.
8.1.5.4282
8.1.9.4417
8.2.2.4866
8.3.0.5129
Additionally the following versions of Good Mobile Messaging Server for
Exchange ship with vulnerable versions of vsxl5.dll.
4.9.3.41
5.0.4.28
6.0.0.106
All versions of Outside In, including versions for operating systems
other than Windows, are assumed to be vulnerable. Additionally, all
software that includes or uses Outside In is assumed to be vulnerable.
Earlier versions, including those branded with other names, are
vulnerable as well.
V. WORKAROUND
In order to prevent exploitation of this vulnerability, iDefense
recommends using file system access control lists (ACLs) to prevent
reading the affected module.
For Good Mobile Messaging Server, Good Software recommends deleting the
GdFileConv.exe file and restarting the Messaging Server.
VI. VENDOR RESPONSE
Oracle has released a patch which addresses this issue. For more
information, consult their advisory at the following URL:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
Good Technology has released a patch which addresses this issue. For
more information, consult their advisory at the following URL:
http://www.good.com/faq/18431.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2009-1009 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
01/30/2009 - GoodLink contact identified
01/30/2009 - Security contact research begins
02/05/2009 - Oracle contact identified
02/09/2009 - Initial Oracle Reply
02/09/2009 - Initial Vendor Notification
02/10/2009 - Initial GoodLink Reply
02/11/2009 - Oracle validation
02/16/2009 - GoodLink customer alert sent
02/16/2009 - GoodLink validation
02/19/2009 - Oracle requests PoC
02/19/2009 - PoC sent to Oracle
02/25/2009 - GoodLink status update
02/27/2009 - Oracle status update
03/06/2009 - GoodLink status update
04/14/2009 - Oracle patch released
05/13/2009 - CVE Corelation requested from Oracle
05/14/2009 - Coordinated Public Disclosure
05/14/2009 - GoodLink ready for disclosure coordinated with iDefense
IX. CREDIT
This vulnerability was discovered by Joshua J. Drake, iDefense Labs.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2009 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFKDc+jbjs6HoxIfBkRAvY9AJ9WjWSDZK8tmiaAo5tLkrRZrDDscwCeJ8qk
0aG0K5EpST6rBQF7jgOIhC8=
=94Xc
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
I. The
document provides information about affected components, access and
authorization required for successful exploitation, and the impact
from the vulnerabilities on data confidentiality, integrity, and
availability. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database. Impact
The impact of these vulnerabilities varies depending on the
product, component, and configuration of the system. Potential
consequences include the execution of arbitrary code or commands,
information disclosure, and denial of service. Vulnerable
components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to
access sensitive information. Note that this
document only lists newly corrected issues. Updates to patches for
previously known issues are not listed. Please send
email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization. Upon
entering the vulnerable function, data is copied from a heap buffer
into a stack buffer without ensuring that the data will fit.
It is interesting to note that this vulnerability was fixed some time
between the release of version 8.1.5 and version 8.1.9. No public
record exists documenting the existence of this vulnerability.
iDefense confirmed that the following versions are not affected:
8.1.9.4417 (shipped with GMMS 5.0.4.28 and GMMS 6.0.0.106)
8.2.2.4866
8.3.0.5129
V. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Some have unknown impacts, others can be exploited by malicious users
to conduct SQL injection attacks or disclose sensitive information,
and by malicious people compromise a vulnerable system.
1) A format string error exists within the Oracle Process Manager and
Notification (opmn) daemon, which can be exploited to execute
arbitrary code via a specially crafted POST request to port
6000/TCP.
2) Input passed to the "DBMS_AQIN" package is not properly sanitised
before being used. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
3) An error in the Application Express component included in Oracle
Database can be exploited by unprivileged database users to disclose
APEX password hashes in "LOWS_030000.WWV_FLOW_USER".
The remaining vulnerabilities are caused due to unspecified errors.
PROVIDED AND/OR DISCOVERED BY:
1) Joxean Koret of TippingPoint
2, 3) Alexander Kornbrust of Red Database Security
The vendor also credits:
* Joshua J.
* Esteban Martinez Fayo of Application Security, Inc.
* Franz Huell of Red Database Security;
* Mike Janowski of Neohapsis, Inc.
* Joxean Koret
* David Litchfield of NGS Software
* Tanel Poder
* Sven Vetter of Trivadis
* Dennis Yurichev
ORIGINAL ADVISORY:
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-017/
Red Database Security:
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
http://www.red-database-security.com/advisory/apex_password_hashes.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200904-0262 | CVE-2009-0976 |
Oracle Database of Workspace Manager In the component LTADM Vulnerabilities related to
Related entries in the VARIoT exploits database: VAR-E-200904-0197, VAR-E-200904-0196 |
CVSS V2: 5.5 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the Workspace Manager component in Oracle Database 10.2.0.4 and 11.1.0.6 allows remote authenticated users to affect confidentiality and integrity, related to LTADM. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:
Oracle Database
Oracle Audit Vault
Oracle Application Server
Oracle Outside In SDK HTML Export
Oracle XML Publisher
Oracle BI Publisher
Oracle E-Business Suite
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Data Service Integrator
Oracle AquaLogic Data Services Platform
Oracle JRockit. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
For more information see vulnerability #6 through #9 in:
SA34693
SOLUTION:
The vendor recommends to delete the GdFileConv.exe file. See vendor's
advisory for additional details.
Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include
remote execution of arbitrary code, information disclosure, and
denial of service.
I. Description
The Oracle Critical Patch Update Advisory - April 2009 addresses 43
vulnerabilities in various Oracle products and components.
Oracle has associated CVE identifiers with the vulnerabilities
addressed in this Critical Patch Update. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.
II. Impact
The impact of these vulnerabilities varies depending on the
product, component, and configuration of the system. Potential
consequences include the execution of arbitrary code or commands,
information disclosure, and denial of service. Vulnerable
components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to
access sensitive information.
III. Solution
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update Advisory - April 2009. Note that this
document only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
IV. References
* Oracle Critical Patch Update Advisory - April 2009 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-105A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
April 15, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4
2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do
dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM
h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy
11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU
bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==
=kziE
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Some have unknown impacts, others can be exploited by malicious users
to conduct SQL injection attacks or disclose sensitive information,
and by malicious people compromise a vulnerable system.
1) A format string error exists within the Oracle Process Manager and
Notification (opmn) daemon, which can be exploited to execute
arbitrary code via a specially crafted POST request to port
6000/TCP.
2) Input passed to the "DBMS_AQIN" package is not properly sanitised
before being used. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
3) An error in the Application Express component included in Oracle
Database can be exploited by unprivileged database users to disclose
APEX password hashes in "LOWS_030000.WWV_FLOW_USER".
The remaining vulnerabilities are caused due to unspecified errors.
No more information is currently available.
PROVIDED AND/OR DISCOVERED BY:
1) Joxean Koret of TippingPoint
2, 3) Alexander Kornbrust of Red Database Security
The vendor also credits:
* Joshua J. Drake of iDefense
* Gerhard Eschelbeck of Qualys, Inc.
* Esteban Martinez Fayo of Application Security, Inc.
* Franz Huell of Red Database Security;
* Mike Janowski of Neohapsis, Inc.
* Joxean Koret
* David Litchfield of NGS Software
* Tanel Poder
* Sven Vetter of Trivadis
* Dennis Yurichev
ORIGINAL ADVISORY:
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-017/
Red Database Security:
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
http://www.red-database-security.com/advisory/apex_password_hashes.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200904-0261 | CVE-2009-0975 |
Oracle Database of Workspace Manager Component vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200904-0197, VAR-E-200904-0196 |
CVSS V2: 5.5 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the Workspace Manager component in Oracle Database 10.2.0.4 and 11.1.0.6 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2009-0978. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:
Oracle Database
Oracle Audit Vault
Oracle Application Server
Oracle Outside In SDK HTML Export
Oracle XML Publisher
Oracle BI Publisher
Oracle E-Business Suite
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Data Service Integrator
Oracle AquaLogic Data Services Platform
Oracle JRockit. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
For more information see vulnerability #6 through #9 in:
SA34693
SOLUTION:
The vendor recommends to delete the GdFileConv.exe file. See vendor's
advisory for additional details.
Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include
remote execution of arbitrary code, information disclosure, and
denial of service.
I. Description
The Oracle Critical Patch Update Advisory - April 2009 addresses 43
vulnerabilities in various Oracle products and components. The
document provides information about affected components, access and
authorization required for successful exploitation, and the impact
from the vulnerabilities on data confidentiality, integrity, and
availability.
Oracle has associated CVE identifiers with the vulnerabilities
addressed in this Critical Patch Update. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.
II. Impact
The impact of these vulnerabilities varies depending on the
product, component, and configuration of the system. Potential
consequences include the execution of arbitrary code or commands,
information disclosure, and denial of service. Vulnerable
components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to
access sensitive information.
III. Solution
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update Advisory - April 2009. Note that this
document only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
IV. References
* Oracle Critical Patch Update Advisory - April 2009 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-105A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
April 15, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4
2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do
dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM
h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy
11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU
bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==
=kziE
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Some have unknown impacts, others can be exploited by malicious users
to conduct SQL injection attacks or disclose sensitive information,
and by malicious people compromise a vulnerable system.
1) A format string error exists within the Oracle Process Manager and
Notification (opmn) daemon, which can be exploited to execute
arbitrary code via a specially crafted POST request to port
6000/TCP.
2) Input passed to the "DBMS_AQIN" package is not properly sanitised
before being used. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
3) An error in the Application Express component included in Oracle
Database can be exploited by unprivileged database users to disclose
APEX password hashes in "LOWS_030000.WWV_FLOW_USER".
The remaining vulnerabilities are caused due to unspecified errors.
No more information is currently available.
PROVIDED AND/OR DISCOVERED BY:
1) Joxean Koret of TippingPoint
2, 3) Alexander Kornbrust of Red Database Security
The vendor also credits:
* Joshua J. Drake of iDefense
* Gerhard Eschelbeck of Qualys, Inc.
* Esteban Martinez Fayo of Application Security, Inc.
* Franz Huell of Red Database Security;
* Mike Janowski of Neohapsis, Inc.
* Joxean Koret
* David Litchfield of NGS Software
* Tanel Poder
* Sven Vetter of Trivadis
* Dennis Yurichev
ORIGINAL ADVISORY:
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-017/
Red Database Security:
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
http://www.red-database-security.com/advisory/apex_password_hashes.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200904-0265 | CVE-2009-0979 |
Oracle Database of Resource Manager Component vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200904-0197, VAR-E-200904-0196 |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Resource Manager component in Oracle Database 9.2.0.8 and 9.2.0.8DV allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:
Oracle Database
Oracle Audit Vault
Oracle Application Server
Oracle Outside In SDK HTML Export
Oracle XML Publisher
Oracle BI Publisher
Oracle E-Business Suite
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Data Service Integrator
Oracle AquaLogic Data Services Platform
Oracle JRockit. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
For more information see vulnerability #6 through #9 in:
SA34693
SOLUTION:
The vendor recommends to delete the GdFileConv.exe file. See vendor's
advisory for additional details.
Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include
remote execution of arbitrary code, information disclosure, and
denial of service.
I. Description
The Oracle Critical Patch Update Advisory - April 2009 addresses 43
vulnerabilities in various Oracle products and components. The
document provides information about affected components, access and
authorization required for successful exploitation, and the impact
from the vulnerabilities on data confidentiality, integrity, and
availability.
Oracle has associated CVE identifiers with the vulnerabilities
addressed in this Critical Patch Update. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.
II. Impact
The impact of these vulnerabilities varies depending on the
product, component, and configuration of the system. Potential
consequences include the execution of arbitrary code or commands,
information disclosure, and denial of service. Vulnerable
components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to
access sensitive information.
III. Solution
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update Advisory - April 2009. Note that this
document only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
IV. References
* Oracle Critical Patch Update Advisory - April 2009 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-105A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
April 15, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4
2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do
dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM
h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy
11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU
bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==
=kziE
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Team SHATTER Security Advisory
Buffer Overflow in Resource Manager of Oracle Database - Plan name parameter
August 27, 2009
Risk Level:
Medium
Affected versions:
Oracle Database Server version 9iR1 and 9iR2
Remote exploitable:
Yes (Authentication to Database Server is needed)
Credits:
This vulnerability was discovered and researched by Esteban Mart\xednez Fay\xf3 of Application Security Inc.
Details:
The plan name parameter used in ALTER SYSTEM SET RESOURCE_MANAGER_PLAN statement and in SYS.DBMS_RESOURCE_MANAGER.SWITCH_PLAN procedure is vulnerable to buffer overflow attacks. When passing an overly long plan name string a buffer can be overflowed.
Impact:
To exploit this vulnerability it is required to have ALTER SYSTEM privilege. Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DoS (Denial of service) killing the Oracle server process.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
Restrict ALTER SYSTEM privilege.
CVE:
CVE-2009-0979
Links:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html
Timeline:
Vendor Notification - 8/15/2007
Fix - 07/14/2009
Public Disclosure - 08/07/2009
Application Security, Inc's database security solutions have helped over 1,600 organizations secure their databases from all internal and external threats while also ensuring that those organizations meet or exceed regulatory compliance and audit requirements. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Some have unknown impacts, others can be exploited by malicious users
to conduct SQL injection attacks or disclose sensitive information,
and by malicious people compromise a vulnerable system.
1) A format string error exists within the Oracle Process Manager and
Notification (opmn) daemon, which can be exploited to execute
arbitrary code via a specially crafted POST request to port
6000/TCP.
2) Input passed to the "DBMS_AQIN" package is not properly sanitised
before being used. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
3) An error in the Application Express component included in Oracle
Database can be exploited by unprivileged database users to disclose
APEX password hashes in "LOWS_030000.WWV_FLOW_USER".
The remaining vulnerabilities are caused due to unspecified errors.
No more information is currently available.
PROVIDED AND/OR DISCOVERED BY:
1) Joxean Koret of TippingPoint
2, 3) Alexander Kornbrust of Red Database Security
The vendor also credits:
* Joshua J. Drake of iDefense
* Gerhard Eschelbeck of Qualys, Inc.
* Esteban Martinez Fayo of Application Security, Inc.
* Franz Huell of Red Database Security;
* Mike Janowski of Neohapsis, Inc.
* Joxean Koret
* David Litchfield of NGS Software
* Tanel Poder
* Sven Vetter of Trivadis
* Dennis Yurichev
ORIGINAL ADVISORY:
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-017/
Red Database Security:
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
http://www.red-database-security.com/advisory/apex_password_hashes.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200904-0260 | CVE-2009-0974 |
Oracle Application Server of Portal Component vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200904-0197, VAR-E-200904-0196 |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the Portal component in Oracle Application Server 10.1.2.3 and 10.1.4.2 allows remote attackers to affect integrity via unknown vectors, a different vulnerability than CVE-2009-0983 and CVE-2009-3407. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:
Oracle Database
Oracle Audit Vault
Oracle Application Server
Oracle Outside In SDK HTML Export
Oracle XML Publisher
Oracle BI Publisher
Oracle E-Business Suite
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Data Service Integrator
Oracle AquaLogic Data Services Platform
Oracle JRockit. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
For more information see vulnerability #6 through #9 in:
SA34693
SOLUTION:
The vendor recommends to delete the GdFileConv.exe file. See vendor's
advisory for additional details.
Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include
remote execution of arbitrary code, information disclosure, and
denial of service.
I. Description
The Oracle Critical Patch Update Advisory - April 2009 addresses 43
vulnerabilities in various Oracle products and components. The
document provides information about affected components, access and
authorization required for successful exploitation, and the impact
from the vulnerabilities on data confidentiality, integrity, and
availability.
Oracle has associated CVE identifiers with the vulnerabilities
addressed in this Critical Patch Update. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.
II. Impact
The impact of these vulnerabilities varies depending on the
product, component, and configuration of the system. Potential
consequences include the execution of arbitrary code or commands,
information disclosure, and denial of service. Vulnerable
components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to
access sensitive information.
III. Solution
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update Advisory - April 2009. Note that this
document only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
IV. References
* Oracle Critical Patch Update Advisory - April 2009 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-105A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
April 15, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4
2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do
dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM
h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy
11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU
bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==
=kziE
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Some have unknown impacts, others can be exploited by malicious users
to conduct SQL injection attacks or disclose sensitive information,
and by malicious people compromise a vulnerable system.
1) A format string error exists within the Oracle Process Manager and
Notification (opmn) daemon, which can be exploited to execute
arbitrary code via a specially crafted POST request to port
6000/TCP.
2) Input passed to the "DBMS_AQIN" package is not properly sanitised
before being used. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
3) An error in the Application Express component included in Oracle
Database can be exploited by unprivileged database users to disclose
APEX password hashes in "LOWS_030000.WWV_FLOW_USER".
The remaining vulnerabilities are caused due to unspecified errors.
No more information is currently available.
PROVIDED AND/OR DISCOVERED BY:
1) Joxean Koret of TippingPoint
2, 3) Alexander Kornbrust of Red Database Security
The vendor also credits:
* Joshua J. Drake of iDefense
* Gerhard Eschelbeck of Qualys, Inc.
* Esteban Martinez Fayo of Application Security, Inc.
* Franz Huell of Red Database Security;
* Mike Janowski of Neohapsis, Inc.
* Joxean Koret
* David Litchfield of NGS Software
* Tanel Poder
* Sven Vetter of Trivadis
* Dennis Yurichev
ORIGINAL ADVISORY:
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-017/
Red Database Security:
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
http://www.red-database-security.com/advisory/apex_password_hashes.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200904-0263 | CVE-2009-0977 |
Oracle Database of Advanced Queuing Component vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200904-0197, VAR-E-200904-0196 |
CVSS V2: 5.5 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the Advanced Queuing component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 allows remote authenticated users to affect confidentiality and integrity, related to DBMS_AQIN. NOTE: the previous information was obtained from the April 2009 CPU. Oracle has not commented on reliable researcher claims that this issue is SQL injection in the GRANT_TYPE_ACCESS procedure in the DBMS_AQADM_SYS package. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:
Oracle Database
Oracle Audit Vault
Oracle Application Server
Oracle Outside In SDK HTML Export
Oracle XML Publisher
Oracle BI Publisher
Oracle E-Business Suite
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Data Service Integrator
Oracle AquaLogic Data Services Platform
Oracle JRockit. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
For more information see vulnerability #6 through #9 in:
SA34693
SOLUTION:
The vendor recommends to delete the GdFileConv.exe file. See vendor's
advisory for additional details.
Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125.
PROCEDURE GRANT_TYPE_ACCESS( USER_NAME IN VARCHAR2) IS
GRANT_TXT VARCHAR2(100);
GRANT_OPT VARCHAR2(20) := ' with grant option';
BEGIN
EXECUTE_STMT( 'grant execute on sys.aq$_agent to '|| USER_NAME||GRANT_OPT);
EXECUTE_STMT('grant execute on sys.aq$_dequeue_history to '|| USER_NAME||GRANT_OPT);
EXECUTE_STMT('grant execute on sys.aq$_subscribers to '|| USER_NAME||GRANT_OPT);
EXECUTE_STMT('grant execute on sys.aq$_recipients to '|| USER_NAME||GRANT_OPT);
EXECUTE_STMT('grant execute on sys.aq$_history to '|| USER_NAME||GRANT_OPT);
EXECUTE_STMT('grant execute on sys.aq$_dequeue_history to '|| USER_NAME||GRANT_OPT);
[...]
Patch Information
Apply the patches for Oracle CPU April 2009. The impacts of these vulnerabilities include
remote execution of arbitrary code, information disclosure, and
denial of service.
I. Description
The Oracle Critical Patch Update Advisory - April 2009 addresses 43
vulnerabilities in various Oracle products and components.
Oracle has associated CVE identifiers with the vulnerabilities
addressed in this Critical Patch Update. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.
II. Impact
The impact of these vulnerabilities varies depending on the
product, component, and configuration of the system. Potential
consequences include the execution of arbitrary code or commands,
information disclosure, and denial of service. Vulnerable
components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to
access sensitive information.
III. Solution
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update Advisory - April 2009. Note that this
document only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
IV. References
* Oracle Critical Patch Update Advisory - April 2009 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-105A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
April 15, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4
2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do
dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM
h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy
11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU
bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==
=kziE
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Some have unknown impacts, others can be exploited by malicious users
to conduct SQL injection attacks or disclose sensitive information,
and by malicious people compromise a vulnerable system.
1) A format string error exists within the Oracle Process Manager and
Notification (opmn) daemon, which can be exploited to execute
arbitrary code via a specially crafted POST request to port
6000/TCP.
2) Input passed to the "DBMS_AQIN" package is not properly sanitised
before being used. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
3) An error in the Application Express component included in Oracle
Database can be exploited by unprivileged database users to disclose
APEX password hashes in "LOWS_030000.WWV_FLOW_USER".
The remaining vulnerabilities are caused due to unspecified errors.
No more information is currently available.
PROVIDED AND/OR DISCOVERED BY:
1) Joxean Koret of TippingPoint
2, 3) Alexander Kornbrust of Red Database Security
The vendor also credits:
* Joshua J. Drake of iDefense
* Gerhard Eschelbeck of Qualys, Inc.
* Esteban Martinez Fayo of Application Security, Inc.
* Franz Huell of Red Database Security;
* Mike Janowski of Neohapsis, Inc.
* Joxean Koret
* David Litchfield of NGS Software
* Tanel Poder
* Sven Vetter of Trivadis
* Dennis Yurichev
ORIGINAL ADVISORY:
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-017/
Red Database Security:
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
http://www.red-database-security.com/advisory/apex_password_hashes.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200904-0259 | CVE-2009-0973 |
Oracle Database of Cluster Ready Services Component vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200904-0197, VAR-E-200904-0196 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the Cluster Ready Services component in Oracle Database 10.1.0.5 allows remote attackers to affect availability via unknown vectors. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:
Oracle Database
Oracle Audit Vault
Oracle Application Server
Oracle Outside In SDK HTML Export
Oracle XML Publisher
Oracle BI Publisher
Oracle E-Business Suite
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Data Service Integrator
Oracle AquaLogic Data Services Platform
Oracle JRockit. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
For more information see vulnerability #6 through #9 in:
SA34693
SOLUTION:
The vendor recommends to delete the GdFileConv.exe file. See vendor's
advisory for additional details.
Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include
remote execution of arbitrary code, information disclosure, and
denial of service.
I. Description
The Oracle Critical Patch Update Advisory - April 2009 addresses 43
vulnerabilities in various Oracle products and components. The
document provides information about affected components, access and
authorization required for successful exploitation, and the impact
from the vulnerabilities on data confidentiality, integrity, and
availability.
Oracle has associated CVE identifiers with the vulnerabilities
addressed in this Critical Patch Update. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.
II. Impact
The impact of these vulnerabilities varies depending on the
product, component, and configuration of the system. Potential
consequences include the execution of arbitrary code or commands,
information disclosure, and denial of service. Vulnerable
components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to
access sensitive information.
III. Solution
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update Advisory - April 2009. Note that this
document only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
IV. References
* Oracle Critical Patch Update Advisory - April 2009 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-105A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
April 15, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4
2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do
dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM
h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy
11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU
bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==
=kziE
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Some have unknown impacts, others can be exploited by malicious users
to conduct SQL injection attacks or disclose sensitive information,
and by malicious people compromise a vulnerable system.
1) A format string error exists within the Oracle Process Manager and
Notification (opmn) daemon, which can be exploited to execute
arbitrary code via a specially crafted POST request to port
6000/TCP.
2) Input passed to the "DBMS_AQIN" package is not properly sanitised
before being used. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
3) An error in the Application Express component included in Oracle
Database can be exploited by unprivileged database users to disclose
APEX password hashes in "LOWS_030000.WWV_FLOW_USER".
The remaining vulnerabilities are caused due to unspecified errors.
No more information is currently available.
PROVIDED AND/OR DISCOVERED BY:
1) Joxean Koret of TippingPoint
2, 3) Alexander Kornbrust of Red Database Security
The vendor also credits:
* Joshua J. Drake of iDefense
* Gerhard Eschelbeck of Qualys, Inc.
* Esteban Martinez Fayo of Application Security, Inc.
* Franz Huell of Red Database Security;
* Mike Janowski of Neohapsis, Inc.
* Joxean Koret
* David Litchfield of NGS Software
* Tanel Poder
* Sven Vetter of Trivadis
* Dennis Yurichev
ORIGINAL ADVISORY:
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-017/
Red Database Security:
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
http://www.red-database-security.com/advisory/apex_password_hashes.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200904-0264 | CVE-2009-0978 |
Oracle Database of Workspace Manager Component vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200904-0197, VAR-E-200904-0196 |
CVSS V2: 5.5 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the Workspace Manager component in Oracle Database 10.2.0.4 and 11.1.0.6 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2009-0975. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:
Oracle Database
Oracle Audit Vault
Oracle Application Server
Oracle Outside In SDK HTML Export
Oracle XML Publisher
Oracle BI Publisher
Oracle E-Business Suite
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Data Service Integrator
Oracle AquaLogic Data Services Platform
Oracle JRockit. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Team SHATTER Security Advisory
Oracle Database SQL Injection vulnerability in LT.ROLLBACKWORKSPACE
May 4, 2009
Risk Level:
High
Affected versions:
Oracle Database Server version 10gR1
Remote exploitable:
Yes (Authentication to Database Server is needed)
Credits:
This vulnerability was discovered and researched by Esteban Mart\xednez Fay\xf3 of Application Security Inc.
Details:
Oracle Database provides the "LT" PL/SQL package that is part of the Oracle Workspace Manager component (DBMS_WM public synonym). This package has a SQL Injection instance in ROLLBACKWORKSPACE procedure. Dependening on what Oracle Workspace Manager release is installed, this PL/SQL package is owned by SYS (on older releases) or by WMSYS (on newer releases). A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of the package owner, depending on the system configuration it can be SYS or WMSYS.
Impact:
By default [WM]SYS.LT has EXECUTE permission to PUBLIC so any Oracle Database user can exploit this vulnerability. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS or WMSYS privileges.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
Restrict access to the [WM]SYS.LT package.
CVE:
CVE-2009-0978
Links:
Application Security, Inc advisory: http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
Timeline:
Vendor Notification - 8/22/2007
Fix - 4/14/2009
Public Disclosure - 5/04/2009
Application Security, Inc's database security solutions have helped over 1000 organizations secure their databases from all internal and external threats while also ensuring that those organizations meet or exceed regulatory compliance and audit requirements. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
For more information see vulnerability #6 through #9 in:
SA34693
SOLUTION:
The vendor recommends to delete the GdFileConv.exe file. See vendor's
advisory for additional details.
Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include
remote execution of arbitrary code, information disclosure, and
denial of service.
I. Description
The Oracle Critical Patch Update Advisory - April 2009 addresses 43
vulnerabilities in various Oracle products and components. The
document provides information about affected components, access and
authorization required for successful exploitation, and the impact
from the vulnerabilities on data confidentiality, integrity, and
availability.
Oracle has associated CVE identifiers with the vulnerabilities
addressed in this Critical Patch Update. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.
II. Impact
The impact of these vulnerabilities varies depending on the
product, component, and configuration of the system. Potential
consequences include the execution of arbitrary code or commands,
information disclosure, and denial of service. Vulnerable
components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to
access sensitive information.
III. Solution
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update Advisory - April 2009. Note that this
document only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
IV. References
* Oracle Critical Patch Update Advisory - April 2009 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-105A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
April 15, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4
2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do
dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM
h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy
11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU
bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==
=kziE
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Some have unknown impacts, others can be exploited by malicious users
to conduct SQL injection attacks or disclose sensitive information,
and by malicious people compromise a vulnerable system.
1) A format string error exists within the Oracle Process Manager and
Notification (opmn) daemon, which can be exploited to execute
arbitrary code via a specially crafted POST request to port
6000/TCP.
2) Input passed to the "DBMS_AQIN" package is not properly sanitised
before being used. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
3) An error in the Application Express component included in Oracle
Database can be exploited by unprivileged database users to disclose
APEX password hashes in "LOWS_030000.WWV_FLOW_USER".
The remaining vulnerabilities are caused due to unspecified errors.
No more information is currently available.
PROVIDED AND/OR DISCOVERED BY:
1) Joxean Koret of TippingPoint
2, 3) Alexander Kornbrust of Red Database Security
The vendor also credits:
* Joshua J. Drake of iDefense
* Gerhard Eschelbeck of Qualys, Inc.
* Esteban Martinez Fayo of Application Security, Inc.
* Franz Huell of Red Database Security;
* Mike Janowski of Neohapsis, Inc.
* Joxean Koret
* David Litchfield of NGS Software
* Tanel Poder
* Sven Vetter of Trivadis
* Dennis Yurichev
ORIGINAL ADVISORY:
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-017/
Red Database Security:
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
http://www.red-database-security.com/advisory/apex_password_hashes.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200904-0258 | CVE-2009-0972 |
Oracle Database of Workspace Manager Component vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200904-0197, VAR-E-200904-0196 |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the Workspace Manager component in Oracle Database 11.1.0.6, 11.1.0.7, 10.2.0.3, 10.2.0.4, 10.1.0.5, 9.2.0.8, and 9.2.0.8DV allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:
Oracle Database
Oracle Audit Vault
Oracle Application Server
Oracle Outside In SDK HTML Export
Oracle XML Publisher
Oracle BI Publisher
Oracle E-Business Suite
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Data Service Integrator
Oracle AquaLogic Data Services Platform
Oracle JRockit. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
For more information see vulnerability #6 through #9 in:
SA34693
SOLUTION:
The vendor recommends to delete the GdFileConv.exe file. See vendor's
advisory for additional details.
Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include
remote execution of arbitrary code, information disclosure, and
denial of service.
I. Description
The Oracle Critical Patch Update Advisory - April 2009 addresses 43
vulnerabilities in various Oracle products and components. The
document provides information about affected components, access and
authorization required for successful exploitation, and the impact
from the vulnerabilities on data confidentiality, integrity, and
availability.
Oracle has associated CVE identifiers with the vulnerabilities
addressed in this Critical Patch Update. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.
II. Impact
The impact of these vulnerabilities varies depending on the
product, component, and configuration of the system. Potential
consequences include the execution of arbitrary code or commands,
information disclosure, and denial of service. Vulnerable
components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to
access sensitive information.
III. Solution
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update Advisory - April 2009. Note that this
document only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
IV. References
* Oracle Critical Patch Update Advisory - April 2009 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-105A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
April 15, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4
2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do
dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM
h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy
11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU
bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==
=kziE
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Some have unknown impacts, others can be exploited by malicious users
to conduct SQL injection attacks or disclose sensitive information,
and by malicious people compromise a vulnerable system.
1) A format string error exists within the Oracle Process Manager and
Notification (opmn) daemon, which can be exploited to execute
arbitrary code via a specially crafted POST request to port
6000/TCP.
2) Input passed to the "DBMS_AQIN" package is not properly sanitised
before being used. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
3) An error in the Application Express component included in Oracle
Database can be exploited by unprivileged database users to disclose
APEX password hashes in "LOWS_030000.WWV_FLOW_USER".
The remaining vulnerabilities are caused due to unspecified errors.
No more information is currently available.
PROVIDED AND/OR DISCOVERED BY:
1) Joxean Koret of TippingPoint
2, 3) Alexander Kornbrust of Red Database Security
The vendor also credits:
* Joshua J. Drake of iDefense
* Gerhard Eschelbeck of Qualys, Inc.
* Esteban Martinez Fayo of Application Security, Inc.
* Franz Huell of Red Database Security;
* Mike Janowski of Neohapsis, Inc.
* Joxean Koret
* David Litchfield of NGS Software
* Tanel Poder
* Sven Vetter of Trivadis
* Dennis Yurichev
ORIGINAL ADVISORY:
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-017/
Red Database Security:
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
http://www.red-database-security.com/advisory/apex_password_hashes.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201102-0002 | CVE-2009-0189 |
Oracle April 2009 Critical Patch Update Multiple Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200904-0197, VAR-E-200904-0196 |
CVSS V2: - CVSS V3: - Severity: - |
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-1012. Reason: This candidate is a reservation duplicate of CVE-2009-1012. Notes: All CVE users should reference CVE-2009-1012 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:
Oracle Database
Oracle Audit Vault
Oracle Application Server
Oracle Outside In SDK HTML Export
Oracle XML Publisher
Oracle BI Publisher
Oracle E-Business Suite
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Data Service Integrator
Oracle AquaLogic Data Services Platform
Oracle JRockit. ======================================================================
Secunia Research 15/04/2009
- Oracle BEA WebLogic Server Plug-ins Integer Overflow -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
* Oracle BEA WebLogic Server Plug-ins version 1.0.1166189.
NOTE: Other versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From Remote
======================================================================
3) Vendor's Description of Software
"... the world's best application server for building and deploying
enterprise applications and services ...".
Product Link:
http://www.oracle.com/technology/products/weblogic/index.html
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in the Oracle BEA
WebLogic Server plug-ins for web servers, which can be exploited by
malicious people to compromise a vulnerable system.
The Oracle BEA WebLogic Server can be configured to receive requests
via an Apache, Sun, or IIS web server. In this case, a plug-in is
installed in the Internet-facing web server that passes the request to
a WebLogic server. An integer overflow when parsing HTTP requests can
be exploited to cause a heap-based buffer overflow.
Successful exploitation may allow execution of arbitrary code.
======================================================================
5) Solution
Apply patches released by the vendor.
======================================================================
6) Time Table
01/03/2009 - Vendor notified.
06/03/2009 - Vendor response requesting more information.
06/03/2009 - Sent PoC to vendor.
10/03/2009 - Vendor confirms vulnerability.
12/03/2009 - Vendor requests more information.
15/03/2009 - Supplemental information sent to vendor.
17/03/2009 - Vendor confirms and provides preliminary patch.
15/04/2009 - Public disclosure.
======================================================================
7) Credits
Discovered by Dyon Balding, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2009-0189 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-22/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
| VAR-200904-0424 | CVE-2009-1003 |
BEA Product Suite of WebLogic Server Component vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200904-0197, VAR-E-200904-0196 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, and 9.0 allows remote attackers to affect integrity via unknown vectors related to "access to source code of web pages.". Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:
Oracle Database
Oracle Audit Vault
Oracle Application Server
Oracle Outside In SDK HTML Export
Oracle XML Publisher
Oracle BI Publisher
Oracle E-Business Suite
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle Data Service Integrator
Oracle AquaLogic Data Services Platform
Oracle JRockit. The impacts of these vulnerabilities include
remote execution of arbitrary code, information disclosure, and
denial of service.
I. Description
The Oracle Critical Patch Update Advisory - April 2009 addresses 43
vulnerabilities in various Oracle products and components. The
document provides information about affected components, access and
authorization required for successful exploitation, and the impact
from the vulnerabilities on data confidentiality, integrity, and
availability.
Oracle has associated CVE identifiers with the vulnerabilities
addressed in this Critical Patch Update. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.
II. Impact
The impact of these vulnerabilities varies depending on the
product, component, and configuration of the system. Potential
consequences include the execution of arbitrary code or commands,
information disclosure, and denial of service. Vulnerable
components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to
access sensitive information.
III. Solution
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update Advisory - April 2009. Note that this
document only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
IV. References
* Oracle Critical Patch Update Advisory - April 2009 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-105A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
April 15, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4
2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do
dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM
h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy
11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU
bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==
=kziE
-----END PGP SIGNATURE-----
| VAR-200904-0280 | CVE-2009-1155 | Cisco PIX/ASA Vulnerabilities that bypass authentication |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances 7.1(1) through 7.1(2)82, 7.2 before 7.2(4)27, 8.0 before 8.0(4)25, and 8.1 before 8.1(2)15, when AAA override-account-disable is entered in a general-attributes field, allow remote attackers to bypass authentication and establish a VPN session to an ASA device via unspecified vectors.
Remote attackers can exploit these issues to cause an affected device to reload, to force network traffic to bypass ACL rules, or to gain unauthorized access to an affected device. Successful exploits may facilitate further attacks.
These issues are documented by the following Cisco Bug IDs:
CSCsx47543 further documents the issue tracked by CVE-2009-1155.
CSCsv52239 further documents the issue tracked by CVE-2009-1156.
CSCsy22484 further documents the issue tracked by CVE-2009-1157.
CSCsx32675 further documents the issue tracked by CVE-2009-1158.
CSCsw51809 further documents the issue tracked by CVE-2009-1159.
CSCsq91277 further documents the issue tracked by CVE-2009-1160. This security
advisory outlines the details of these vulnerabilities:
* VPN Authentication Bypass when Account Override Feature is Used
vulnerability
* Crafted HTTP packet denial of service (DoS) vulnerability
* Crafted TCP Packet DoS vulnerability
* Crafted H.323 packet DoS vulnerability
* SQL*Net packet DoS vulnerability
* Access control list (ACL) bypass vulnerability
Workarounds are available for some of the vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The following is a list of the products affected by each vulnerability
as described in detail within this advisory.
Note: The Override Account Disabled feature was introduced in Cisco
ASA software version 7.1(1). This feature is
disabled by default. Only Cisco ASA software versions 8.0 and 8.1 are
affected by this vulnerability. Cisco ASA and
Cisco PIX security appliances running versions 7.0, 7.1, 7.2, 8.0, and
8.1 are affected when configured for any of the following features:
* SSL VPNs
* ASDM Administrative Access
* Telnet Access
* SSH Access
* Cisco Tunneling Control Protocol (cTCP) for Remote Access VPNs
* Virtual Telnet
* Virtual HTTP
* Transport Layer Security (TLS) Proxy for Encrypted Voice
Inspection
* Cut-Through Proxy for Network Access
* TCP Intercept
Crafted H.323 Packet DoS Vulnerability
+-------------------------------------
Cisco ASA and Cisco PIX security appliances may experience a device
reload that can be triggered by a series of crafted H.323 packets, when
H.323 inspection is enabled. H.323 inspection is enabled by default.
Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1
are affected by this vulnerability. SQL*Net inspection is enabled by default.
Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected
by this vulnerability. Cisco ASA and
Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this
vulnerability.
Determination of Software Versions
+---------------------------------
The "show version" command-line interface (CLI) command can be used to
determine whether a vulnerable version of the Cisco PIX or Cisco ASA
software is running. The following example shows a Cisco ASA Adaptive
Security Appliance that runs software version 8.0(4):
ASA#show version
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.0(1)
<output truncated>
The following example shows a Cisco PIX security appliance that runs
software version 8.0(4):
PIX#show version
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 5.2(3)
<output truncated>
Customers who use Cisco ASDM to manage their devices can find the
software version displayed in the table in the login window or in the
upper left corner of the ASDM window.
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500
Series switches and Cisco 7600 Series routers and Cisco VPN 3000 Series
Concentrators are not affected by any of these vulnerabilities. No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities are independent of each other. However, the user must provide the correct
credentials in order to login to the VPN.
Note: The override account feature was introduced in Cisco ASA software
version 7.1(1).
The override account feature is enabled with the
"override-account-disable" command in "tunnel-group general-attributes"
configuration mode, as shown in the following example. The following
example allows overriding the "account-disabled" indicator from the AAA
server for the WebVPN tunnel group "testgroup":
hostname(config)#tunnel-group testgroup type webvpn
hostname(config)#tunnel-group testgroup general-attributes
hostname(config-tunnel-general)#override-account-disable
Note: The override account feature is disabled by default.
Crafted HTTP Packet DoS Vulnerability
+------------------------------------
A crafted SSL or HTTP packet may cause a DoS condition on a Cisco
ASA device that is configured to terminate SSL VPN connections. This
vulnerability can also be triggered to any interface where ASDM access
is enabled. A successful attack may result in a reload of the device. A
TCP three-way handshake is not needed to exploit this vulnerability.
Crafted TCP Packet DoS Vulnerability
+-----------------------------------
A crafted TCP packet may cause a memory leak on a Cisco ASA or Cisco PIX
device. A successful attack may result in a sustained DoS condition.
A Cisco ASA device configured for any of the following features is
affected:
* SSL VPNs
* ASDM Administrative Access
* Telnet Access
* SSH Access
* cTCP for Remote Access VPNs
* Virtual Telnet
* Virtual HTTP
* TLS Proxy for Encrypted Voice Inspection
* Cut-Through Proxy for Network Access
* TCP Intercept
Note: This vulnerability may be triggered when crafted packets are sent
to any TCP based service that terminates on the affected device. The
vulnerability may also be triggered via transient traffic only if the
TCP intercept features has been enabled. A TCP three-way handshake is
not needed to exploit this vulnerability.
Crafted H.323 Packet DoS Vulnerability
+-------------------------------------
A crafted H.323 packet may cause a DoS condition on a Cisco ASA device
that is configured with H.323 inspection. H.323 inspection is enabled by
default. A successful attack may result in a reload of the device. A TCP
three-way handshake is not needed to exploit this vulnerability. A series of SQL*Net packets
may cause a denial of service condition on a Cisco ASA and Cisco PIX
device that is configured with SQL*Net inspection. SQL*Net inspection is
enabled by default. A successful attack may result in a reload of the
device.
The default port assignment for SQL*Net is TCP port 1521. This is the
value used by Oracle for SQL*Net. Please note the "class-map" command
can be used in the Cisco ASA or Cisco PIX to apply SQL*Net inspection
to a range of different port numbers. A TCP three-way handshake is
needed to exploit this vulnerability. The requirement of a TCP three way
handshake significantly reduces the possibility of exploitation using
packets with spoofed source addresses.
Access Control List Bypass Vulnerability
+---------------------------------------
Access lists have an implicit deny behavior that is applied to packets
that have not matched any of the permit or deny ACEs in an ACL and reach
the end of the ACL. This implicit deny is there by design, does not
require any configuration and can be understood as an implicit ACE that
denies all traffic reaching the end of the ACL. A vulnerability exists
in the Cisco ASA and Cisco PIX that may allow traffic to bypass the
implicit deny ACE.
Note: This behavior only impacts the implicit deny statement on any
ACL applied on the device. Access control lists with explicit deny
statements are not affected by this vulnerability. This vulnerability is
experienced in very rare occasions and extremely hard to reproduce.
You can trace the lifespan of a packet through the security appliance
to see whether the packet is operating correctly with the packet tracer
tool. The "packet-tracer" command provides detailed information about
the packets and how they are processed by the security appliance. If a
command from the configuration did not cause the packet to drop, the
"packet-tracer" command will provide information about the cause in an
easily readable manner. You can use this feature to see if the implicit
deny on an ACL is not taking effect. The following example shows that
the implicit deny is bypassed (result = ALLOW):
<output truncated>
...
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1a09d350, priority=1, domain=permit, deny=false
hits=1144595557, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
<output truncated>
This vulnerability is documented in Cisco Bug ID CSCsq91277 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifiers
CVE-2009-1160.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* AAA account-override-ignore allows VPN session without correct
password (CSCsx47543)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 6.8
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Cisco ASA may crash with certain HTTP packets (CSCsv52239)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Cisco ASA may crash after processing certain TCP packets (CSCsy22484)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Crafted H.323 packet may cause ASA to reload (CSCsx32675)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* sqlnet traffic causes traceback with inspection configured
(CSCsw51809)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ACL Misbehavior in Cisco ASA (CSCsq91277)
CVSS Base Score - 4.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 3.6
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the VPN Authentication Bypass when Account
Override Feature is Used vulnerability may allow an attacker to
successfully connect to the Cisco ASA via remote access IPSec or
SSL-based VPN. Repeated exploitation could result in
a sustained DoS condition. Successful exploitation of the ACL bypass
vulnerability may allow an attacker to access resources that should be
protected by the Cisco ASA.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
The following table contains the first fixed software release of each
vulnerability. The "Recommended Release" row indicates the releases
which have fixes for all the published vulnerabilities at the time
of this Advisory. A device running a version of the given release in
a specific row (less than the First Fixed Release) is known to be
vulnerable. Cisco recommends upgrading to a release equal to or later
than the release in the "Recommended Release" row of the table.
+------------------------------------------------------+
| | Affected | First | Recommended |
| Vulnerability | Release | Fixed | Release |
| | | Version | |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| VPN | | vulnerable | |
|Authentication |----------+------------+-------------|
| Bypass when | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Account |----------+------------+-------------|
| Override | 7.2 | 7.2(4)27 | 7.2(4)30 |
|Feature is |----------+------------+-------------|
| Used | 8.0 | 8.0(4)25 | 8.0(4)28 |
|Vulnerability |----------+------------+-------------|
| | 8.1 | 8.1(2)15 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 7.1 | Not | 7.1(2)82 |
| Crafted HTTP | | vulnerable | |
|packet DoS |----------+------------+-------------|
| Vulnerability | 7.2 | Not | 7.2(4)30 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 8.0 | 8.0(4)25 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)15 | 8.1(2)16 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)6 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Crafted TCP |----------+------------+-------------|
| Packet DoS | 7.2 | 7.2(4)30 | 7.2(4)30 |
|Vulnerability |----------+------------+-------------|
| | 8.0 | 8.0(4)28 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)19 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)6 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Crafted H.323 |----------+------------+-------------|
| packet DoS | 7.2 | 7.2(4)26 | 7.2(4)30 |
|Vulnerability |----------+------------+-------------|
| | 8.0 | 8.0(4)24 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)14 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 7.1 | Not | 7.1(2)82 |
| Crafted SQL | | vulnerable | |
|packet DoS |----------+------------+-------------|
| vulnerability | 7.2 | 7.2(4)26 | 7.2(4)30 |
| |----------+------------+-------------|
| | 8.0 | 8.0(4)22 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)12 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)1 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)74 | 7.1(2)82 |
|Access control |----------+------------+-------------|
| list (ACL) | 7.2 | 7.2(4)9 | 7.2(4)30 |
|bypass |----------+------------+-------------|
| vulnerability | 8.0 | 8.0(4)5 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | Not | 8.1(2)19 |
| | | vulnerable | |
+------------------------------------------------------+
Fixed Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
Fixed Cisco PIX software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT
Workarounds
===========
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities and their respective workarounds are independent
of each other.
VPN Authentication Bypass Vulnerability
+--------------------------------------
The override account feature is enabled with the
"override-account-disable" command in "tunnel-group general-attributes"
configuration mode. As a workaround, disable this feature using the "no
override-account-disable" command.
Crafted HTTP Packet DoS Vulnerability
+------------------------------------
Devices configured for SSL VPN (clientless or client-based) or accepting
ASDM management connections are vulnerable.
Note: IPSec clients are not vulnerable to this vulnerability.
If SSL VPN (clientless or client-based) is not used, administrators
should make sure that ASDM connections are only allowed from trusted
hosts.
To identify the IP addresses from which the security appliance
accepts HTTPS connections for ASDM, configure the "http" command for
each trusted host address or subnet. The following example, shows
how a trusted host with IP address 192.168.1.100 is added to the
configuration:
hostname(config)# http 192.168.1.100 255.255.255.255
Crafted TCP Packet DoS Vulnerability
+-----------------------------------
There are no workarounds for this vulnerability.
Crafted H.323 Packet DoS Vulnerability
+-------------------------------------
H.323 inspection should be disabled if it is not needed. Temporarily
disabling the feature will mitigate this vulnerability. H.323 inspection
can be disabled with the command "no inspect h323".
SQL*Net Packet DoS Vulnerability
+-------------------------------
SQL*Net inspection should be disabled if it is not needed. Temporarily
disabling the feature will mitigate this vulnerability. SQL*Net
inspection can be disabled with the command "no inspect sqlnet".
Access Control List (ACL) Bypass Vulnerability
+---------------------------------------------
As a workaround, remove the "access-group" line applied on the interface
where the ACL is configured and re-apply it. For example:
ASA(config)#no access-group acl-inside in interface inside
ASA(config)#access-group acl-inside in interface inside
In the previous example the access group called "acl-inside" is removed
and reapplied to the inside interface. Alternatively, you can add an
explicit "deny ip any any" line in the bottom of the ACL applied on that
interface. For example:
ASA(config)#access-list 100 deny ip any any
In the previous example, an explicit deny for all IP traffic is added at
the end of "access-list 100".
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory, which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090408-asa.shtml.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
The crafted TCP packet DoS vulnerability was discovered and reported
to Cisco by Gregory W. MacPherson and Robert J. Combo from Verizon
Business.
The ACL bypass vulnerability was reported to Cisco by Jon Ramsey and
Jeff Jarmoc from SecureWorks.
The Cisco PSIRT greatly appreciates the opportunity to work with
researchers on security vulnerabilities, and welcomes the opportunity to
review and assist in product reports.
All other vulnerabilities were found during internal testing and during
the resolution of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-April-08 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Apr 08, 2009 Document ID: 109974
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkncyUMACgkQ86n/Gc8U/uBS1ACeP7Toj7XSKuo/eaLfK6K4Gqzc
Q8EAn2anUwiQH4xV5NoNVt+3JiKn2LXQ
=Xi7D
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
SOLUTION:
Update to the fixed versions (please see the vendor advisory for
patch information).
PROVIDED AND/OR DISCOVERED BY:
3) The vendor credits Gregory W.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
OTHER REFERENCES:
http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
| VAR-200904-0281 | CVE-2009-1156 | Cisco PIX/ASA In SSL/HTTP Packet service disruption (DoS) Vulnerabilities |
CVSS V2: 5.7 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) 5500 Series devices 8.0 before 8.0(4)25 and 8.1 before 8.1(2)15, when an SSL VPN or ASDM access is configured, allows remote attackers to cause a denial of service (device reload) via a crafted (1) SSL or (2) HTTP packet. Cisco PIX Security Appliance and ASA 5500 Series Adaptive Security Appliance are prone to multiple denial-of-service vulnerabilities, an ACL-bypass vulnerability, and an authentication-bypass vulnerability.
Remote attackers can exploit these issues to cause an affected device to reload, to force network traffic to bypass ACL rules, or to gain unauthorized access to an affected device. Successful exploits may facilitate further attacks.
These issues are documented by the following Cisco Bug IDs:
CSCsx47543 further documents the issue tracked by CVE-2009-1155.
CSCsv52239 further documents the issue tracked by CVE-2009-1156.
CSCsy22484 further documents the issue tracked by CVE-2009-1157.
CSCsx32675 further documents the issue tracked by CVE-2009-1158.
CSCsw51809 further documents the issue tracked by CVE-2009-1159.
CSCsq91277 further documents the issue tracked by CVE-2009-1160. This security
advisory outlines the details of these vulnerabilities:
* VPN Authentication Bypass when Account Override Feature is Used
vulnerability
* Crafted HTTP packet denial of service (DoS) vulnerability
* Crafted TCP Packet DoS vulnerability
* Crafted H.323 packet DoS vulnerability
* SQL*Net packet DoS vulnerability
* Access control list (ACL) bypass vulnerability
Workarounds are available for some of the vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The following is a list of the products affected by each vulnerability
as described in detail within this advisory.
Note: The Override Account Disabled feature was introduced in Cisco
ASA software version 7.1(1). This feature is
disabled by default. Only Cisco ASA software versions 8.0 and 8.1 are
affected by this vulnerability. H.323 inspection is enabled by default.
Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1
are affected by this vulnerability. SQL*Net inspection is enabled by default.
Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected
by this vulnerability. Cisco ASA and
Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this
vulnerability.
Determination of Software Versions
+---------------------------------
The "show version" command-line interface (CLI) command can be used to
determine whether a vulnerable version of the Cisco PIX or Cisco ASA
software is running. The following example shows a Cisco ASA Adaptive
Security Appliance that runs software version 8.0(4):
ASA#show version
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.0(1)
<output truncated>
The following example shows a Cisco PIX security appliance that runs
software version 8.0(4):
PIX#show version
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 5.2(3)
<output truncated>
Customers who use Cisco ASDM to manage their devices can find the
software version displayed in the table in the login window or in the
upper left corner of the ASDM window.
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500
Series switches and Cisco 7600 Series routers and Cisco VPN 3000 Series
Concentrators are not affected by any of these vulnerabilities. No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities are independent of each other. However, the user must provide the correct
credentials in order to login to the VPN.
Note: The override account feature was introduced in Cisco ASA software
version 7.1(1).
The override account feature is enabled with the
"override-account-disable" command in "tunnel-group general-attributes"
configuration mode, as shown in the following example. The following
example allows overriding the "account-disabled" indicator from the AAA
server for the WebVPN tunnel group "testgroup":
hostname(config)#tunnel-group testgroup type webvpn
hostname(config)#tunnel-group testgroup general-attributes
hostname(config-tunnel-general)#override-account-disable
Note: The override account feature is disabled by default. This
vulnerability can also be triggered to any interface where ASDM access
is enabled. A successful attack may result in a reload of the device. A
TCP three-way handshake is not needed to exploit this vulnerability.
Crafted TCP Packet DoS Vulnerability
+-----------------------------------
A crafted TCP packet may cause a memory leak on a Cisco ASA or Cisco PIX
device. A successful attack may result in a sustained DoS condition. The
vulnerability may also be triggered via transient traffic only if the
TCP intercept features has been enabled. A TCP three-way handshake is
not needed to exploit this vulnerability. H.323 inspection is enabled by
default. A successful attack may result in a reload of the device. A TCP
three-way handshake is not needed to exploit this vulnerability. SQL*Net inspection is
enabled by default. A successful attack may result in a reload of the
device.
The default port assignment for SQL*Net is TCP port 1521. This is the
value used by Oracle for SQL*Net. Please note the "class-map" command
can be used in the Cisco ASA or Cisco PIX to apply SQL*Net inspection
to a range of different port numbers. A TCP three-way handshake is
needed to exploit this vulnerability. The requirement of a TCP three way
handshake significantly reduces the possibility of exploitation using
packets with spoofed source addresses.
Access Control List Bypass Vulnerability
+---------------------------------------
Access lists have an implicit deny behavior that is applied to packets
that have not matched any of the permit or deny ACEs in an ACL and reach
the end of the ACL. This implicit deny is there by design, does not
require any configuration and can be understood as an implicit ACE that
denies all traffic reaching the end of the ACL. A vulnerability exists
in the Cisco ASA and Cisco PIX that may allow traffic to bypass the
implicit deny ACE.
Note: This behavior only impacts the implicit deny statement on any
ACL applied on the device. Access control lists with explicit deny
statements are not affected by this vulnerability. This vulnerability is
experienced in very rare occasions and extremely hard to reproduce.
You can trace the lifespan of a packet through the security appliance
to see whether the packet is operating correctly with the packet tracer
tool. The "packet-tracer" command provides detailed information about
the packets and how they are processed by the security appliance. If a
command from the configuration did not cause the packet to drop, the
"packet-tracer" command will provide information about the cause in an
easily readable manner. You can use this feature to see if the implicit
deny on an ACL is not taking effect. The following example shows that
the implicit deny is bypassed (result = ALLOW):
<output truncated>
...
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1a09d350, priority=1, domain=permit, deny=false
hits=1144595557, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
<output truncated>
This vulnerability is documented in Cisco Bug ID CSCsq91277 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifiers
CVE-2009-1160.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* AAA account-override-ignore allows VPN session without correct
password (CSCsx47543)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 6.8
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Cisco ASA may crash with certain HTTP packets (CSCsv52239)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Cisco ASA may crash after processing certain TCP packets (CSCsy22484)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Crafted H.323 packet may cause ASA to reload (CSCsx32675)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* sqlnet traffic causes traceback with inspection configured
(CSCsw51809)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ACL Misbehavior in Cisco ASA (CSCsq91277)
CVSS Base Score - 4.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 3.6
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the VPN Authentication Bypass when Account
Override Feature is Used vulnerability may allow an attacker to
successfully connect to the Cisco ASA via remote access IPSec or
SSL-based VPN. Repeated exploitation could result in
a sustained DoS condition. Successful exploitation of the ACL bypass
vulnerability may allow an attacker to access resources that should be
protected by the Cisco ASA.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
The following table contains the first fixed software release of each
vulnerability. The "Recommended Release" row indicates the releases
which have fixes for all the published vulnerabilities at the time
of this Advisory. A device running a version of the given release in
a specific row (less than the First Fixed Release) is known to be
vulnerable. Cisco recommends upgrading to a release equal to or later
than the release in the "Recommended Release" row of the table.
+------------------------------------------------------+
| | Affected | First | Recommended |
| Vulnerability | Release | Fixed | Release |
| | | Version | |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| VPN | | vulnerable | |
|Authentication |----------+------------+-------------|
| Bypass when | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Account |----------+------------+-------------|
| Override | 7.2 | 7.2(4)27 | 7.2(4)30 |
|Feature is |----------+------------+-------------|
| Used | 8.0 | 8.0(4)25 | 8.0(4)28 |
|Vulnerability |----------+------------+-------------|
| | 8.1 | 8.1(2)15 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 7.1 | Not | 7.1(2)82 |
| Crafted HTTP | | vulnerable | |
|packet DoS |----------+------------+-------------|
| Vulnerability | 7.2 | Not | 7.2(4)30 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 8.0 | 8.0(4)25 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)15 | 8.1(2)16 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)6 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Crafted TCP |----------+------------+-------------|
| Packet DoS | 7.2 | 7.2(4)30 | 7.2(4)30 |
|Vulnerability |----------+------------+-------------|
| | 8.0 | 8.0(4)28 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)19 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)6 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Crafted H.323 |----------+------------+-------------|
| packet DoS | 7.2 | 7.2(4)26 | 7.2(4)30 |
|Vulnerability |----------+------------+-------------|
| | 8.0 | 8.0(4)24 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)14 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 7.1 | Not | 7.1(2)82 |
| Crafted SQL | | vulnerable | |
|packet DoS |----------+------------+-------------|
| vulnerability | 7.2 | 7.2(4)26 | 7.2(4)30 |
| |----------+------------+-------------|
| | 8.0 | 8.0(4)22 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)12 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)1 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)74 | 7.1(2)82 |
|Access control |----------+------------+-------------|
| list (ACL) | 7.2 | 7.2(4)9 | 7.2(4)30 |
|bypass |----------+------------+-------------|
| vulnerability | 8.0 | 8.0(4)5 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | Not | 8.1(2)19 |
| | | vulnerable | |
+------------------------------------------------------+
Fixed Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
Fixed Cisco PIX software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT
Workarounds
===========
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities and their respective workarounds are independent
of each other.
VPN Authentication Bypass Vulnerability
+--------------------------------------
The override account feature is enabled with the
"override-account-disable" command in "tunnel-group general-attributes"
configuration mode. As a workaround, disable this feature using the "no
override-account-disable" command.
Note: IPSec clients are not vulnerable to this vulnerability.
If SSL VPN (clientless or client-based) is not used, administrators
should make sure that ASDM connections are only allowed from trusted
hosts.
To identify the IP addresses from which the security appliance
accepts HTTPS connections for ASDM, configure the "http" command for
each trusted host address or subnet. The following example, shows
how a trusted host with IP address 192.168.1.100 is added to the
configuration:
hostname(config)# http 192.168.1.100 255.255.255.255
Crafted TCP Packet DoS Vulnerability
+-----------------------------------
There are no workarounds for this vulnerability.
Crafted H.323 Packet DoS Vulnerability
+-------------------------------------
H.323 inspection should be disabled if it is not needed. Temporarily
disabling the feature will mitigate this vulnerability. H.323 inspection
can be disabled with the command "no inspect h323".
SQL*Net Packet DoS Vulnerability
+-------------------------------
SQL*Net inspection should be disabled if it is not needed. Temporarily
disabling the feature will mitigate this vulnerability. SQL*Net
inspection can be disabled with the command "no inspect sqlnet".
Access Control List (ACL) Bypass Vulnerability
+---------------------------------------------
As a workaround, remove the "access-group" line applied on the interface
where the ACL is configured and re-apply it. For example:
ASA(config)#no access-group acl-inside in interface inside
ASA(config)#access-group acl-inside in interface inside
In the previous example the access group called "acl-inside" is removed
and reapplied to the inside interface. Alternatively, you can add an
explicit "deny ip any any" line in the bottom of the ACL applied on that
interface. For example:
ASA(config)#access-list 100 deny ip any any
In the previous example, an explicit deny for all IP traffic is added at
the end of "access-list 100".
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory, which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090408-asa.shtml.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
The crafted TCP packet DoS vulnerability was discovered and reported
to Cisco by Gregory W. MacPherson and Robert J. Combo from Verizon
Business.
The ACL bypass vulnerability was reported to Cisco by Jon Ramsey and
Jeff Jarmoc from SecureWorks.
The Cisco PSIRT greatly appreciates the opportunity to work with
researchers on security vulnerabilities, and welcomes the opportunity to
review and assist in product reports.
All other vulnerabilities were found during internal testing and during
the resolution of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-April-08 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Apr 08, 2009 Document ID: 109974
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkncyUMACgkQ86n/Gc8U/uBS1ACeP7Toj7XSKuo/eaLfK6K4Gqzc
Q8EAn2anUwiQH4xV5NoNVt+3JiKn2LXQ
=Xi7D
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
SOLUTION:
Update to the fixed versions (please see the vendor advisory for
patch information).
PROVIDED AND/OR DISCOVERED BY:
3) The vendor credits Gregory W.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
OTHER REFERENCES:
http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
| VAR-200904-0282 | CVE-2009-1157 | Cisco PIX/ASA In TCP Denial of service regarding packets (DoS) Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Memory leak on Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances 7.0 before 7.0(8)6, 7.1 before 7.1(2)82, 7.2 before 7.2(4)30, 8.0 before 8.0(4)28, and 8.1 before 8.1(2)19 allows remote attackers to cause a denial of service (memory consumption or device reload) via a crafted TCP packet.
Remote attackers can exploit these issues to cause an affected device to reload, to force network traffic to bypass ACL rules, or to gain unauthorized access to an affected device. Successful exploits may facilitate further attacks.
These issues are documented by the following Cisco Bug IDs:
CSCsx47543 further documents the issue tracked by CVE-2009-1155.
CSCsv52239 further documents the issue tracked by CVE-2009-1156.
CSCsy22484 further documents the issue tracked by CVE-2009-1157.
CSCsx32675 further documents the issue tracked by CVE-2009-1158.
CSCsw51809 further documents the issue tracked by CVE-2009-1159.
CSCsq91277 further documents the issue tracked by CVE-2009-1160. This security
advisory outlines the details of these vulnerabilities:
* VPN Authentication Bypass when Account Override Feature is Used
vulnerability
* Crafted HTTP packet denial of service (DoS) vulnerability
* Crafted TCP Packet DoS vulnerability
* Crafted H.323 packet DoS vulnerability
* SQL*Net packet DoS vulnerability
* Access control list (ACL) bypass vulnerability
Workarounds are available for some of the vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The following is a list of the products affected by each vulnerability
as described in detail within this advisory.
VPN Authentication Bypass Vulnerability
+--------------------------------------
Cisco ASA or Cisco PIX security appliances that are configured for IPsec
or SSL-based remote access VPN and have the Override Account Disabled
feature enabled are affected by this vulnerability.
Note: The Override Account Disabled feature was introduced in Cisco
ASA software version 7.1(1). This feature is
disabled by default. Only Cisco ASA software versions 8.0 and 8.1 are
affected by this vulnerability. H.323 inspection is enabled by default.
Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1
are affected by this vulnerability. SQL*Net inspection is enabled by default.
Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected
by this vulnerability. Cisco ASA and
Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this
vulnerability.
Determination of Software Versions
+---------------------------------
The "show version" command-line interface (CLI) command can be used to
determine whether a vulnerable version of the Cisco PIX or Cisco ASA
software is running. The following example shows a Cisco ASA Adaptive
Security Appliance that runs software version 8.0(4):
ASA#show version
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.0(1)
<output truncated>
The following example shows a Cisco PIX security appliance that runs
software version 8.0(4):
PIX#show version
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 5.2(3)
<output truncated>
Customers who use Cisco ASDM to manage their devices can find the
software version displayed in the table in the login window or in the
upper left corner of the ASDM window.
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500
Series switches and Cisco 7600 Series routers and Cisco VPN 3000 Series
Concentrators are not affected by any of these vulnerabilities. No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities are independent of each other. However, the user must provide the correct
credentials in order to login to the VPN.
Note: The override account feature was introduced in Cisco ASA software
version 7.1(1).
The override account feature is enabled with the
"override-account-disable" command in "tunnel-group general-attributes"
configuration mode, as shown in the following example. The following
example allows overriding the "account-disabled" indicator from the AAA
server for the WebVPN tunnel group "testgroup":
hostname(config)#tunnel-group testgroup type webvpn
hostname(config)#tunnel-group testgroup general-attributes
hostname(config-tunnel-general)#override-account-disable
Note: The override account feature is disabled by default.
Crafted HTTP Packet DoS Vulnerability
+------------------------------------
A crafted SSL or HTTP packet may cause a DoS condition on a Cisco
ASA device that is configured to terminate SSL VPN connections. This
vulnerability can also be triggered to any interface where ASDM access
is enabled. A successful attack may result in a reload of the device. A
TCP three-way handshake is not needed to exploit this vulnerability. A successful attack may result in a sustained DoS condition.
A Cisco ASA device configured for any of the following features is
affected:
* SSL VPNs
* ASDM Administrative Access
* Telnet Access
* SSH Access
* cTCP for Remote Access VPNs
* Virtual Telnet
* Virtual HTTP
* TLS Proxy for Encrypted Voice Inspection
* Cut-Through Proxy for Network Access
* TCP Intercept
Note: This vulnerability may be triggered when crafted packets are sent
to any TCP based service that terminates on the affected device. The
vulnerability may also be triggered via transient traffic only if the
TCP intercept features has been enabled. A TCP three-way handshake is
not needed to exploit this vulnerability.
Crafted H.323 Packet DoS Vulnerability
+-------------------------------------
A crafted H.323 packet may cause a DoS condition on a Cisco ASA device
that is configured with H.323 inspection. H.323 inspection is enabled by
default. A successful attack may result in a reload of the device. A TCP
three-way handshake is not needed to exploit this vulnerability. SQL*Net inspection is
enabled by default. A successful attack may result in a reload of the
device.
The default port assignment for SQL*Net is TCP port 1521. This is the
value used by Oracle for SQL*Net. Please note the "class-map" command
can be used in the Cisco ASA or Cisco PIX to apply SQL*Net inspection
to a range of different port numbers. A TCP three-way handshake is
needed to exploit this vulnerability. The requirement of a TCP three way
handshake significantly reduces the possibility of exploitation using
packets with spoofed source addresses.
Access Control List Bypass Vulnerability
+---------------------------------------
Access lists have an implicit deny behavior that is applied to packets
that have not matched any of the permit or deny ACEs in an ACL and reach
the end of the ACL. This implicit deny is there by design, does not
require any configuration and can be understood as an implicit ACE that
denies all traffic reaching the end of the ACL. A vulnerability exists
in the Cisco ASA and Cisco PIX that may allow traffic to bypass the
implicit deny ACE.
Note: This behavior only impacts the implicit deny statement on any
ACL applied on the device. Access control lists with explicit deny
statements are not affected by this vulnerability. This vulnerability is
experienced in very rare occasions and extremely hard to reproduce.
You can trace the lifespan of a packet through the security appliance
to see whether the packet is operating correctly with the packet tracer
tool. The "packet-tracer" command provides detailed information about
the packets and how they are processed by the security appliance. If a
command from the configuration did not cause the packet to drop, the
"packet-tracer" command will provide information about the cause in an
easily readable manner. You can use this feature to see if the implicit
deny on an ACL is not taking effect. The following example shows that
the implicit deny is bypassed (result = ALLOW):
<output truncated>
...
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1a09d350, priority=1, domain=permit, deny=false
hits=1144595557, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
<output truncated>
This vulnerability is documented in Cisco Bug ID CSCsq91277 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifiers
CVE-2009-1160.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* AAA account-override-ignore allows VPN session without correct
password (CSCsx47543)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 6.8
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Cisco ASA may crash with certain HTTP packets (CSCsv52239)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Cisco ASA may crash after processing certain TCP packets (CSCsy22484)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Crafted H.323 packet may cause ASA to reload (CSCsx32675)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* sqlnet traffic causes traceback with inspection configured
(CSCsw51809)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ACL Misbehavior in Cisco ASA (CSCsq91277)
CVSS Base Score - 4.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 3.6
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the VPN Authentication Bypass when Account
Override Feature is Used vulnerability may allow an attacker to
successfully connect to the Cisco ASA via remote access IPSec or
SSL-based VPN. Repeated exploitation could result in
a sustained DoS condition. Successful exploitation of the ACL bypass
vulnerability may allow an attacker to access resources that should be
protected by the Cisco ASA.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
The following table contains the first fixed software release of each
vulnerability. The "Recommended Release" row indicates the releases
which have fixes for all the published vulnerabilities at the time
of this Advisory. A device running a version of the given release in
a specific row (less than the First Fixed Release) is known to be
vulnerable. Cisco recommends upgrading to a release equal to or later
than the release in the "Recommended Release" row of the table.
+------------------------------------------------------+
| | Affected | First | Recommended |
| Vulnerability | Release | Fixed | Release |
| | | Version | |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| VPN | | vulnerable | |
|Authentication |----------+------------+-------------|
| Bypass when | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Account |----------+------------+-------------|
| Override | 7.2 | 7.2(4)27 | 7.2(4)30 |
|Feature is |----------+------------+-------------|
| Used | 8.0 | 8.0(4)25 | 8.0(4)28 |
|Vulnerability |----------+------------+-------------|
| | 8.1 | 8.1(2)15 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 7.1 | Not | 7.1(2)82 |
| Crafted HTTP | | vulnerable | |
|packet DoS |----------+------------+-------------|
| Vulnerability | 7.2 | Not | 7.2(4)30 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 8.0 | 8.0(4)25 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)15 | 8.1(2)16 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)6 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Crafted TCP |----------+------------+-------------|
| Packet DoS | 7.2 | 7.2(4)30 | 7.2(4)30 |
|Vulnerability |----------+------------+-------------|
| | 8.0 | 8.0(4)28 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)19 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)6 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Crafted H.323 |----------+------------+-------------|
| packet DoS | 7.2 | 7.2(4)26 | 7.2(4)30 |
|Vulnerability |----------+------------+-------------|
| | 8.0 | 8.0(4)24 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)14 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 7.1 | Not | 7.1(2)82 |
| Crafted SQL | | vulnerable | |
|packet DoS |----------+------------+-------------|
| vulnerability | 7.2 | 7.2(4)26 | 7.2(4)30 |
| |----------+------------+-------------|
| | 8.0 | 8.0(4)22 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)12 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)1 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)74 | 7.1(2)82 |
|Access control |----------+------------+-------------|
| list (ACL) | 7.2 | 7.2(4)9 | 7.2(4)30 |
|bypass |----------+------------+-------------|
| vulnerability | 8.0 | 8.0(4)5 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | Not | 8.1(2)19 |
| | | vulnerable | |
+------------------------------------------------------+
Fixed Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
Fixed Cisco PIX software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT
Workarounds
===========
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities and their respective workarounds are independent
of each other.
VPN Authentication Bypass Vulnerability
+--------------------------------------
The override account feature is enabled with the
"override-account-disable" command in "tunnel-group general-attributes"
configuration mode. As a workaround, disable this feature using the "no
override-account-disable" command.
Crafted HTTP Packet DoS Vulnerability
+------------------------------------
Devices configured for SSL VPN (clientless or client-based) or accepting
ASDM management connections are vulnerable.
Note: IPSec clients are not vulnerable to this vulnerability.
If SSL VPN (clientless or client-based) is not used, administrators
should make sure that ASDM connections are only allowed from trusted
hosts.
To identify the IP addresses from which the security appliance
accepts HTTPS connections for ASDM, configure the "http" command for
each trusted host address or subnet. The following example, shows
how a trusted host with IP address 192.168.1.100 is added to the
configuration:
hostname(config)# http 192.168.1.100 255.255.255.255
Crafted TCP Packet DoS Vulnerability
+-----------------------------------
There are no workarounds for this vulnerability.
Crafted H.323 Packet DoS Vulnerability
+-------------------------------------
H.323 inspection should be disabled if it is not needed. Temporarily
disabling the feature will mitigate this vulnerability. H.323 inspection
can be disabled with the command "no inspect h323".
SQL*Net Packet DoS Vulnerability
+-------------------------------
SQL*Net inspection should be disabled if it is not needed. Temporarily
disabling the feature will mitigate this vulnerability. SQL*Net
inspection can be disabled with the command "no inspect sqlnet".
Access Control List (ACL) Bypass Vulnerability
+---------------------------------------------
As a workaround, remove the "access-group" line applied on the interface
where the ACL is configured and re-apply it. For example:
ASA(config)#no access-group acl-inside in interface inside
ASA(config)#access-group acl-inside in interface inside
In the previous example the access group called "acl-inside" is removed
and reapplied to the inside interface. Alternatively, you can add an
explicit "deny ip any any" line in the bottom of the ACL applied on that
interface. For example:
ASA(config)#access-list 100 deny ip any any
In the previous example, an explicit deny for all IP traffic is added at
the end of "access-list 100".
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory, which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090408-asa.shtml.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
The crafted TCP packet DoS vulnerability was discovered and reported
to Cisco by Gregory W. MacPherson and Robert J. Combo from Verizon
Business.
The ACL bypass vulnerability was reported to Cisco by Jon Ramsey and
Jeff Jarmoc from SecureWorks.
The Cisco PSIRT greatly appreciates the opportunity to work with
researchers on security vulnerabilities, and welcomes the opportunity to
review and assist in product reports.
All other vulnerabilities were found during internal testing and during
the resolution of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-April-08 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Apr 08, 2009 Document ID: 109974
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkncyUMACgkQ86n/Gc8U/uBS1ACeP7Toj7XSKuo/eaLfK6K4Gqzc
Q8EAn2anUwiQH4xV5NoNVt+3JiKn2LXQ
=Xi7D
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
SOLUTION:
Update to the fixed versions (please see the vendor advisory for
patch information).
PROVIDED AND/OR DISCOVERED BY:
3) The vendor credits Gregory W.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
OTHER REFERENCES:
http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
| VAR-200904-0283 | CVE-2009-1158 | Cisco ASA In H.323 Packet service disruption (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) 5500 Series devices 7.0 before 7.0(8)6, 7.1 before 7.1(2)82, 7.2 before 7.2(4)26, 8.0 before 8.0(4)24, and 8.1 before 8.1(2)14, when H.323 inspection is enabled, allows remote attackers to cause a denial of service (device reload) via a crafted H.323 packet.
Remote attackers can exploit these issues to cause an affected device to reload, to force network traffic to bypass ACL rules, or to gain unauthorized access to an affected device. Successful exploits may facilitate further attacks.
These issues are documented by the following Cisco Bug IDs:
CSCsx47543 further documents the issue tracked by CVE-2009-1155.
CSCsv52239 further documents the issue tracked by CVE-2009-1156.
CSCsy22484 further documents the issue tracked by CVE-2009-1157.
CSCsx32675 further documents the issue tracked by CVE-2009-1158.
CSCsw51809 further documents the issue tracked by CVE-2009-1159.
CSCsq91277 further documents the issue tracked by CVE-2009-1160. This security
advisory outlines the details of these vulnerabilities:
* VPN Authentication Bypass when Account Override Feature is Used
vulnerability
* Crafted HTTP packet denial of service (DoS) vulnerability
* Crafted TCP Packet DoS vulnerability
* Crafted H.323 packet DoS vulnerability
* SQL*Net packet DoS vulnerability
* Access control list (ACL) bypass vulnerability
Workarounds are available for some of the vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The following is a list of the products affected by each vulnerability
as described in detail within this advisory.
Note: The Override Account Disabled feature was introduced in Cisco
ASA software version 7.1(1). This feature is
disabled by default. Only Cisco ASA software versions 8.0 and 8.1 are
affected by this vulnerability. H.323 inspection is enabled by default.
Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1
are affected by this vulnerability. SQL*Net inspection is enabled by default.
Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected
by this vulnerability. Cisco ASA and
Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this
vulnerability.
Determination of Software Versions
+---------------------------------
The "show version" command-line interface (CLI) command can be used to
determine whether a vulnerable version of the Cisco PIX or Cisco ASA
software is running. The following example shows a Cisco ASA Adaptive
Security Appliance that runs software version 8.0(4):
ASA#show version
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.0(1)
<output truncated>
The following example shows a Cisco PIX security appliance that runs
software version 8.0(4):
PIX#show version
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 5.2(3)
<output truncated>
Customers who use Cisco ASDM to manage their devices can find the
software version displayed in the table in the login window or in the
upper left corner of the ASDM window.
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500
Series switches and Cisco 7600 Series routers and Cisco VPN 3000 Series
Concentrators are not affected by any of these vulnerabilities. No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities are independent of each other. However, the user must provide the correct
credentials in order to login to the VPN.
Note: The override account feature was introduced in Cisco ASA software
version 7.1(1).
The override account feature is enabled with the
"override-account-disable" command in "tunnel-group general-attributes"
configuration mode, as shown in the following example. The following
example allows overriding the "account-disabled" indicator from the AAA
server for the WebVPN tunnel group "testgroup":
hostname(config)#tunnel-group testgroup type webvpn
hostname(config)#tunnel-group testgroup general-attributes
hostname(config-tunnel-general)#override-account-disable
Note: The override account feature is disabled by default.
Crafted HTTP Packet DoS Vulnerability
+------------------------------------
A crafted SSL or HTTP packet may cause a DoS condition on a Cisco
ASA device that is configured to terminate SSL VPN connections. This
vulnerability can also be triggered to any interface where ASDM access
is enabled. A successful attack may result in a reload of the device. A
TCP three-way handshake is not needed to exploit this vulnerability.
Crafted TCP Packet DoS Vulnerability
+-----------------------------------
A crafted TCP packet may cause a memory leak on a Cisco ASA or Cisco PIX
device. A successful attack may result in a sustained DoS condition.
A Cisco ASA device configured for any of the following features is
affected:
* SSL VPNs
* ASDM Administrative Access
* Telnet Access
* SSH Access
* cTCP for Remote Access VPNs
* Virtual Telnet
* Virtual HTTP
* TLS Proxy for Encrypted Voice Inspection
* Cut-Through Proxy for Network Access
* TCP Intercept
Note: This vulnerability may be triggered when crafted packets are sent
to any TCP based service that terminates on the affected device. The
vulnerability may also be triggered via transient traffic only if the
TCP intercept features has been enabled. A TCP three-way handshake is
not needed to exploit this vulnerability. H.323 inspection is enabled by
default. A successful attack may result in a reload of the device. A TCP
three-way handshake is not needed to exploit this vulnerability. SQL*Net inspection is
enabled by default. A successful attack may result in a reload of the
device.
The default port assignment for SQL*Net is TCP port 1521. This is the
value used by Oracle for SQL*Net. Please note the "class-map" command
can be used in the Cisco ASA or Cisco PIX to apply SQL*Net inspection
to a range of different port numbers. A TCP three-way handshake is
needed to exploit this vulnerability. The requirement of a TCP three way
handshake significantly reduces the possibility of exploitation using
packets with spoofed source addresses.
Access Control List Bypass Vulnerability
+---------------------------------------
Access lists have an implicit deny behavior that is applied to packets
that have not matched any of the permit or deny ACEs in an ACL and reach
the end of the ACL. This implicit deny is there by design, does not
require any configuration and can be understood as an implicit ACE that
denies all traffic reaching the end of the ACL. A vulnerability exists
in the Cisco ASA and Cisco PIX that may allow traffic to bypass the
implicit deny ACE.
Note: This behavior only impacts the implicit deny statement on any
ACL applied on the device. Access control lists with explicit deny
statements are not affected by this vulnerability. This vulnerability is
experienced in very rare occasions and extremely hard to reproduce.
You can trace the lifespan of a packet through the security appliance
to see whether the packet is operating correctly with the packet tracer
tool. The "packet-tracer" command provides detailed information about
the packets and how they are processed by the security appliance. If a
command from the configuration did not cause the packet to drop, the
"packet-tracer" command will provide information about the cause in an
easily readable manner. You can use this feature to see if the implicit
deny on an ACL is not taking effect. The following example shows that
the implicit deny is bypassed (result = ALLOW):
<output truncated>
...
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1a09d350, priority=1, domain=permit, deny=false
hits=1144595557, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
<output truncated>
This vulnerability is documented in Cisco Bug ID CSCsq91277 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifiers
CVE-2009-1160.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* AAA account-override-ignore allows VPN session without correct
password (CSCsx47543)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 6.8
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Cisco ASA may crash with certain HTTP packets (CSCsv52239)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Cisco ASA may crash after processing certain TCP packets (CSCsy22484)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Crafted H.323 packet may cause ASA to reload (CSCsx32675)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* sqlnet traffic causes traceback with inspection configured
(CSCsw51809)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ACL Misbehavior in Cisco ASA (CSCsq91277)
CVSS Base Score - 4.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 3.6
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the VPN Authentication Bypass when Account
Override Feature is Used vulnerability may allow an attacker to
successfully connect to the Cisco ASA via remote access IPSec or
SSL-based VPN. Repeated exploitation could result in
a sustained DoS condition. Successful exploitation of the ACL bypass
vulnerability may allow an attacker to access resources that should be
protected by the Cisco ASA.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
The following table contains the first fixed software release of each
vulnerability. The "Recommended Release" row indicates the releases
which have fixes for all the published vulnerabilities at the time
of this Advisory. A device running a version of the given release in
a specific row (less than the First Fixed Release) is known to be
vulnerable. Cisco recommends upgrading to a release equal to or later
than the release in the "Recommended Release" row of the table.
+------------------------------------------------------+
| | Affected | First | Recommended |
| Vulnerability | Release | Fixed | Release |
| | | Version | |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| VPN | | vulnerable | |
|Authentication |----------+------------+-------------|
| Bypass when | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Account |----------+------------+-------------|
| Override | 7.2 | 7.2(4)27 | 7.2(4)30 |
|Feature is |----------+------------+-------------|
| Used | 8.0 | 8.0(4)25 | 8.0(4)28 |
|Vulnerability |----------+------------+-------------|
| | 8.1 | 8.1(2)15 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 7.1 | Not | 7.1(2)82 |
| Crafted HTTP | | vulnerable | |
|packet DoS |----------+------------+-------------|
| Vulnerability | 7.2 | Not | 7.2(4)30 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 8.0 | 8.0(4)25 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)15 | 8.1(2)16 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)6 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Crafted TCP |----------+------------+-------------|
| Packet DoS | 7.2 | 7.2(4)30 | 7.2(4)30 |
|Vulnerability |----------+------------+-------------|
| | 8.0 | 8.0(4)28 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)19 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)6 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Crafted H.323 |----------+------------+-------------|
| packet DoS | 7.2 | 7.2(4)26 | 7.2(4)30 |
|Vulnerability |----------+------------+-------------|
| | 8.0 | 8.0(4)24 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)14 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 7.1 | Not | 7.1(2)82 |
| Crafted SQL | | vulnerable | |
|packet DoS |----------+------------+-------------|
| vulnerability | 7.2 | 7.2(4)26 | 7.2(4)30 |
| |----------+------------+-------------|
| | 8.0 | 8.0(4)22 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)12 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)1 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)74 | 7.1(2)82 |
|Access control |----------+------------+-------------|
| list (ACL) | 7.2 | 7.2(4)9 | 7.2(4)30 |
|bypass |----------+------------+-------------|
| vulnerability | 8.0 | 8.0(4)5 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | Not | 8.1(2)19 |
| | | vulnerable | |
+------------------------------------------------------+
Fixed Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
Fixed Cisco PIX software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT
Workarounds
===========
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities and their respective workarounds are independent
of each other.
VPN Authentication Bypass Vulnerability
+--------------------------------------
The override account feature is enabled with the
"override-account-disable" command in "tunnel-group general-attributes"
configuration mode. As a workaround, disable this feature using the "no
override-account-disable" command.
Crafted HTTP Packet DoS Vulnerability
+------------------------------------
Devices configured for SSL VPN (clientless or client-based) or accepting
ASDM management connections are vulnerable.
Note: IPSec clients are not vulnerable to this vulnerability.
If SSL VPN (clientless or client-based) is not used, administrators
should make sure that ASDM connections are only allowed from trusted
hosts.
To identify the IP addresses from which the security appliance
accepts HTTPS connections for ASDM, configure the "http" command for
each trusted host address or subnet. The following example, shows
how a trusted host with IP address 192.168.1.100 is added to the
configuration:
hostname(config)# http 192.168.1.100 255.255.255.255
Crafted TCP Packet DoS Vulnerability
+-----------------------------------
There are no workarounds for this vulnerability.
Crafted H.323 Packet DoS Vulnerability
+-------------------------------------
H.323 inspection should be disabled if it is not needed. Temporarily
disabling the feature will mitigate this vulnerability. H.323 inspection
can be disabled with the command "no inspect h323".
SQL*Net Packet DoS Vulnerability
+-------------------------------
SQL*Net inspection should be disabled if it is not needed. Temporarily
disabling the feature will mitigate this vulnerability. SQL*Net
inspection can be disabled with the command "no inspect sqlnet".
Access Control List (ACL) Bypass Vulnerability
+---------------------------------------------
As a workaround, remove the "access-group" line applied on the interface
where the ACL is configured and re-apply it. For example:
ASA(config)#no access-group acl-inside in interface inside
ASA(config)#access-group acl-inside in interface inside
In the previous example the access group called "acl-inside" is removed
and reapplied to the inside interface. Alternatively, you can add an
explicit "deny ip any any" line in the bottom of the ACL applied on that
interface. For example:
ASA(config)#access-list 100 deny ip any any
In the previous example, an explicit deny for all IP traffic is added at
the end of "access-list 100".
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory, which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090408-asa.shtml.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
The crafted TCP packet DoS vulnerability was discovered and reported
to Cisco by Gregory W. MacPherson and Robert J. Combo from Verizon
Business.
The ACL bypass vulnerability was reported to Cisco by Jon Ramsey and
Jeff Jarmoc from SecureWorks.
The Cisco PSIRT greatly appreciates the opportunity to work with
researchers on security vulnerabilities, and welcomes the opportunity to
review and assist in product reports.
All other vulnerabilities were found during internal testing and during
the resolution of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-April-08 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Apr 08, 2009 Document ID: 109974
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkncyUMACgkQ86n/Gc8U/uBS1ACeP7Toj7XSKuo/eaLfK6K4Gqzc
Q8EAn2anUwiQH4xV5NoNVt+3JiKn2LXQ
=Xi7D
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
SOLUTION:
Update to the fixed versions (please see the vendor advisory for
patch information).
PROVIDED AND/OR DISCOVERED BY:
3) The vendor credits Gregory W.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
OTHER REFERENCES:
http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
| VAR-200904-0284 | CVE-2009-1159 | Cisco PIX/ASA In SQL*Net Packet service disruption (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances 7.2 before 7.2(4)26, 8.0 before 8.0(4)22, and 8.1 before 8.1(2)12, when SQL*Net inspection is enabled, allows remote attackers to cause a denial of service (traceback and device reload) via a series of SQL*Net packets.
Remote attackers can exploit these issues to cause an affected device to reload, to force network traffic to bypass ACL rules, or to gain unauthorized access to an affected device. Successful exploits may facilitate further attacks.
These issues are documented by the following Cisco Bug IDs:
CSCsx47543 further documents the issue tracked by CVE-2009-1155.
CSCsv52239 further documents the issue tracked by CVE-2009-1156.
CSCsy22484 further documents the issue tracked by CVE-2009-1157.
CSCsx32675 further documents the issue tracked by CVE-2009-1158.
CSCsw51809 further documents the issue tracked by CVE-2009-1159.
CSCsq91277 further documents the issue tracked by CVE-2009-1160. This security
advisory outlines the details of these vulnerabilities:
* VPN Authentication Bypass when Account Override Feature is Used
vulnerability
* Crafted HTTP packet denial of service (DoS) vulnerability
* Crafted TCP Packet DoS vulnerability
* Crafted H.323 packet DoS vulnerability
* SQL*Net packet DoS vulnerability
* Access control list (ACL) bypass vulnerability
Workarounds are available for some of the vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The following is a list of the products affected by each vulnerability
as described in detail within this advisory.
Note: The Override Account Disabled feature was introduced in Cisco
ASA software version 7.1(1). This feature is
disabled by default. Only Cisco ASA software versions 8.0 and 8.1 are
affected by this vulnerability. H.323 inspection is enabled by default.
Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1
are affected by this vulnerability. SQL*Net inspection is enabled by default.
Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected
by this vulnerability. Cisco ASA and
Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this
vulnerability.
Determination of Software Versions
+---------------------------------
The "show version" command-line interface (CLI) command can be used to
determine whether a vulnerable version of the Cisco PIX or Cisco ASA
software is running. The following example shows a Cisco ASA Adaptive
Security Appliance that runs software version 8.0(4):
ASA#show version
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.0(1)
<output truncated>
The following example shows a Cisco PIX security appliance that runs
software version 8.0(4):
PIX#show version
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 5.2(3)
<output truncated>
Customers who use Cisco ASDM to manage their devices can find the
software version displayed in the table in the login window or in the
upper left corner of the ASDM window.
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500
Series switches and Cisco 7600 Series routers and Cisco VPN 3000 Series
Concentrators are not affected by any of these vulnerabilities. No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities are independent of each other. However, the user must provide the correct
credentials in order to login to the VPN.
Note: The override account feature was introduced in Cisco ASA software
version 7.1(1).
The override account feature is enabled with the
"override-account-disable" command in "tunnel-group general-attributes"
configuration mode, as shown in the following example. The following
example allows overriding the "account-disabled" indicator from the AAA
server for the WebVPN tunnel group "testgroup":
hostname(config)#tunnel-group testgroup type webvpn
hostname(config)#tunnel-group testgroup general-attributes
hostname(config-tunnel-general)#override-account-disable
Note: The override account feature is disabled by default.
Crafted HTTP Packet DoS Vulnerability
+------------------------------------
A crafted SSL or HTTP packet may cause a DoS condition on a Cisco
ASA device that is configured to terminate SSL VPN connections. This
vulnerability can also be triggered to any interface where ASDM access
is enabled. A successful attack may result in a reload of the device. A
TCP three-way handshake is not needed to exploit this vulnerability.
Crafted TCP Packet DoS Vulnerability
+-----------------------------------
A crafted TCP packet may cause a memory leak on a Cisco ASA or Cisco PIX
device. A successful attack may result in a sustained DoS condition.
A Cisco ASA device configured for any of the following features is
affected:
* SSL VPNs
* ASDM Administrative Access
* Telnet Access
* SSH Access
* cTCP for Remote Access VPNs
* Virtual Telnet
* Virtual HTTP
* TLS Proxy for Encrypted Voice Inspection
* Cut-Through Proxy for Network Access
* TCP Intercept
Note: This vulnerability may be triggered when crafted packets are sent
to any TCP based service that terminates on the affected device. The
vulnerability may also be triggered via transient traffic only if the
TCP intercept features has been enabled. A TCP three-way handshake is
not needed to exploit this vulnerability.
Crafted H.323 Packet DoS Vulnerability
+-------------------------------------
A crafted H.323 packet may cause a DoS condition on a Cisco ASA device
that is configured with H.323 inspection. H.323 inspection is enabled by
default. A successful attack may result in a reload of the device. A TCP
three-way handshake is not needed to exploit this vulnerability. SQL*Net inspection is
enabled by default. A successful attack may result in a reload of the
device.
The default port assignment for SQL*Net is TCP port 1521. This is the
value used by Oracle for SQL*Net. Please note the "class-map" command
can be used in the Cisco ASA or Cisco PIX to apply SQL*Net inspection
to a range of different port numbers. A TCP three-way handshake is
needed to exploit this vulnerability. The requirement of a TCP three way
handshake significantly reduces the possibility of exploitation using
packets with spoofed source addresses.
Access Control List Bypass Vulnerability
+---------------------------------------
Access lists have an implicit deny behavior that is applied to packets
that have not matched any of the permit or deny ACEs in an ACL and reach
the end of the ACL. This implicit deny is there by design, does not
require any configuration and can be understood as an implicit ACE that
denies all traffic reaching the end of the ACL. A vulnerability exists
in the Cisco ASA and Cisco PIX that may allow traffic to bypass the
implicit deny ACE.
Note: This behavior only impacts the implicit deny statement on any
ACL applied on the device. Access control lists with explicit deny
statements are not affected by this vulnerability. This vulnerability is
experienced in very rare occasions and extremely hard to reproduce.
You can trace the lifespan of a packet through the security appliance
to see whether the packet is operating correctly with the packet tracer
tool. The "packet-tracer" command provides detailed information about
the packets and how they are processed by the security appliance. If a
command from the configuration did not cause the packet to drop, the
"packet-tracer" command will provide information about the cause in an
easily readable manner. You can use this feature to see if the implicit
deny on an ACL is not taking effect. The following example shows that
the implicit deny is bypassed (result = ALLOW):
<output truncated>
...
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1a09d350, priority=1, domain=permit, deny=false
hits=1144595557, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
<output truncated>
This vulnerability is documented in Cisco Bug ID CSCsq91277 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifiers
CVE-2009-1160.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* AAA account-override-ignore allows VPN session without correct
password (CSCsx47543)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 6.8
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Cisco ASA may crash with certain HTTP packets (CSCsv52239)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Cisco ASA may crash after processing certain TCP packets (CSCsy22484)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Crafted H.323 packet may cause ASA to reload (CSCsx32675)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* sqlnet traffic causes traceback with inspection configured
(CSCsw51809)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ACL Misbehavior in Cisco ASA (CSCsq91277)
CVSS Base Score - 4.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 3.6
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the VPN Authentication Bypass when Account
Override Feature is Used vulnerability may allow an attacker to
successfully connect to the Cisco ASA via remote access IPSec or
SSL-based VPN. Repeated exploitation could result in
a sustained DoS condition. Successful exploitation of the ACL bypass
vulnerability may allow an attacker to access resources that should be
protected by the Cisco ASA.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
The following table contains the first fixed software release of each
vulnerability. The "Recommended Release" row indicates the releases
which have fixes for all the published vulnerabilities at the time
of this Advisory. A device running a version of the given release in
a specific row (less than the First Fixed Release) is known to be
vulnerable. Cisco recommends upgrading to a release equal to or later
than the release in the "Recommended Release" row of the table.
+------------------------------------------------------+
| | Affected | First | Recommended |
| Vulnerability | Release | Fixed | Release |
| | | Version | |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| VPN | | vulnerable | |
|Authentication |----------+------------+-------------|
| Bypass when | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Account |----------+------------+-------------|
| Override | 7.2 | 7.2(4)27 | 7.2(4)30 |
|Feature is |----------+------------+-------------|
| Used | 8.0 | 8.0(4)25 | 8.0(4)28 |
|Vulnerability |----------+------------+-------------|
| | 8.1 | 8.1(2)15 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 7.1 | Not | 7.1(2)82 |
| Crafted HTTP | | vulnerable | |
|packet DoS |----------+------------+-------------|
| Vulnerability | 7.2 | Not | 7.2(4)30 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 8.0 | 8.0(4)25 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)15 | 8.1(2)16 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)6 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Crafted TCP |----------+------------+-------------|
| Packet DoS | 7.2 | 7.2(4)30 | 7.2(4)30 |
|Vulnerability |----------+------------+-------------|
| | 8.0 | 8.0(4)28 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)19 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)6 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Crafted H.323 |----------+------------+-------------|
| packet DoS | 7.2 | 7.2(4)26 | 7.2(4)30 |
|Vulnerability |----------+------------+-------------|
| | 8.0 | 8.0(4)24 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)14 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 7.1 | Not | 7.1(2)82 |
| Crafted SQL | | vulnerable | |
|packet DoS |----------+------------+-------------|
| vulnerability | 7.2 | 7.2(4)26 | 7.2(4)30 |
| |----------+------------+-------------|
| | 8.0 | 8.0(4)22 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)12 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)1 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)74 | 7.1(2)82 |
|Access control |----------+------------+-------------|
| list (ACL) | 7.2 | 7.2(4)9 | 7.2(4)30 |
|bypass |----------+------------+-------------|
| vulnerability | 8.0 | 8.0(4)5 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | Not | 8.1(2)19 |
| | | vulnerable | |
+------------------------------------------------------+
Fixed Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
Fixed Cisco PIX software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT
Workarounds
===========
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities and their respective workarounds are independent
of each other.
VPN Authentication Bypass Vulnerability
+--------------------------------------
The override account feature is enabled with the
"override-account-disable" command in "tunnel-group general-attributes"
configuration mode. As a workaround, disable this feature using the "no
override-account-disable" command.
Crafted HTTP Packet DoS Vulnerability
+------------------------------------
Devices configured for SSL VPN (clientless or client-based) or accepting
ASDM management connections are vulnerable.
Note: IPSec clients are not vulnerable to this vulnerability.
If SSL VPN (clientless or client-based) is not used, administrators
should make sure that ASDM connections are only allowed from trusted
hosts.
To identify the IP addresses from which the security appliance
accepts HTTPS connections for ASDM, configure the "http" command for
each trusted host address or subnet. The following example, shows
how a trusted host with IP address 192.168.1.100 is added to the
configuration:
hostname(config)# http 192.168.1.100 255.255.255.255
Crafted TCP Packet DoS Vulnerability
+-----------------------------------
There are no workarounds for this vulnerability.
Crafted H.323 Packet DoS Vulnerability
+-------------------------------------
H.323 inspection should be disabled if it is not needed. Temporarily
disabling the feature will mitigate this vulnerability. H.323 inspection
can be disabled with the command "no inspect h323".
SQL*Net Packet DoS Vulnerability
+-------------------------------
SQL*Net inspection should be disabled if it is not needed. Temporarily
disabling the feature will mitigate this vulnerability. SQL*Net
inspection can be disabled with the command "no inspect sqlnet".
Access Control List (ACL) Bypass Vulnerability
+---------------------------------------------
As a workaround, remove the "access-group" line applied on the interface
where the ACL is configured and re-apply it. For example:
ASA(config)#no access-group acl-inside in interface inside
ASA(config)#access-group acl-inside in interface inside
In the previous example the access group called "acl-inside" is removed
and reapplied to the inside interface. Alternatively, you can add an
explicit "deny ip any any" line in the bottom of the ACL applied on that
interface. For example:
ASA(config)#access-list 100 deny ip any any
In the previous example, an explicit deny for all IP traffic is added at
the end of "access-list 100".
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory, which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090408-asa.shtml.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
The crafted TCP packet DoS vulnerability was discovered and reported
to Cisco by Gregory W. MacPherson and Robert J. Combo from Verizon
Business.
The ACL bypass vulnerability was reported to Cisco by Jon Ramsey and
Jeff Jarmoc from SecureWorks.
The Cisco PSIRT greatly appreciates the opportunity to work with
researchers on security vulnerabilities, and welcomes the opportunity to
review and assist in product reports.
All other vulnerabilities were found during internal testing and during
the resolution of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-April-08 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Apr 08, 2009 Document ID: 109974
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkncyUMACgkQ86n/Gc8U/uBS1ACeP7Toj7XSKuo/eaLfK6K4Gqzc
Q8EAn2anUwiQH4xV5NoNVt+3JiKn2LXQ
=Xi7D
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
SOLUTION:
Update to the fixed versions (please see the vendor advisory for
patch information).
PROVIDED AND/OR DISCOVERED BY:
3) The vendor credits Gregory W.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
OTHER REFERENCES:
http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
| VAR-200904-0285 | CVE-2009-1160 | Cisco PIX/ASA Vulnerable to access restrictions |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances 7.0 before 7.0(8)1, 7.1 before 7.1(2)74, 7.2 before 7.2(4)9, and 8.0 before 8.0(4)5 do not properly implement the implicit deny statement, which might allow remote attackers to successfully send packets that bypass intended access restrictions, aka Bug ID CSCsq91277.
Remote attackers can exploit these issues to cause an affected device to reload, to force network traffic to bypass ACL rules, or to gain unauthorized access to an affected device. Successful exploits may facilitate further attacks.
These issues are documented by the following Cisco Bug IDs:
CSCsx47543 further documents the issue tracked by CVE-2009-1155.
CSCsv52239 further documents the issue tracked by CVE-2009-1156.
CSCsy22484 further documents the issue tracked by CVE-2009-1157.
CSCsx32675 further documents the issue tracked by CVE-2009-1158.
CSCsw51809 further documents the issue tracked by CVE-2009-1159.
CSCsq91277 further documents the issue tracked by CVE-2009-1160. This implied rejection is a design decision and does not require any configuration. It can be understood as rejecting all unspecified ACEs that reach the end of the ACL. This security
advisory outlines the details of these vulnerabilities:
* VPN Authentication Bypass when Account Override Feature is Used
vulnerability
* Crafted HTTP packet denial of service (DoS) vulnerability
* Crafted TCP Packet DoS vulnerability
* Crafted H.323 packet DoS vulnerability
* SQL*Net packet DoS vulnerability
* Access control list (ACL) bypass vulnerability
Workarounds are available for some of the vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The following is a list of the products affected by each vulnerability
as described in detail within this advisory.
Note: The Override Account Disabled feature was introduced in Cisco
ASA software version 7.1(1). This feature is
disabled by default. Only Cisco ASA software versions 8.0 and 8.1 are
affected by this vulnerability. Cisco ASA and
Cisco PIX security appliances running versions 7.0, 7.1, 7.2, 8.0, and
8.1 are affected when configured for any of the following features:
* SSL VPNs
* ASDM Administrative Access
* Telnet Access
* SSH Access
* Cisco Tunneling Control Protocol (cTCP) for Remote Access VPNs
* Virtual Telnet
* Virtual HTTP
* Transport Layer Security (TLS) Proxy for Encrypted Voice
Inspection
* Cut-Through Proxy for Network Access
* TCP Intercept
Crafted H.323 Packet DoS Vulnerability
+-------------------------------------
Cisco ASA and Cisco PIX security appliances may experience a device
reload that can be triggered by a series of crafted H.323 packets, when
H.323 inspection is enabled. H.323 inspection is enabled by default.
Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1
are affected by this vulnerability. SQL*Net inspection is enabled by default.
Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected
by this vulnerability. Cisco ASA and
Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this
vulnerability.
Determination of Software Versions
+---------------------------------
The "show version" command-line interface (CLI) command can be used to
determine whether a vulnerable version of the Cisco PIX or Cisco ASA
software is running. The following example shows a Cisco ASA Adaptive
Security Appliance that runs software version 8.0(4):
ASA#show version
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.0(1)
<output truncated>
The following example shows a Cisco PIX security appliance that runs
software version 8.0(4):
PIX#show version
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 5.2(3)
<output truncated>
Customers who use Cisco ASDM to manage their devices can find the
software version displayed in the table in the login window or in the
upper left corner of the ASDM window.
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500
Series switches and Cisco 7600 Series routers and Cisco VPN 3000 Series
Concentrators are not affected by any of these vulnerabilities. No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities are independent of each other. However, the user must provide the correct
credentials in order to login to the VPN.
Note: The override account feature was introduced in Cisco ASA software
version 7.1(1).
The override account feature is enabled with the
"override-account-disable" command in "tunnel-group general-attributes"
configuration mode, as shown in the following example. The following
example allows overriding the "account-disabled" indicator from the AAA
server for the WebVPN tunnel group "testgroup":
hostname(config)#tunnel-group testgroup type webvpn
hostname(config)#tunnel-group testgroup general-attributes
hostname(config-tunnel-general)#override-account-disable
Note: The override account feature is disabled by default.
Crafted HTTP Packet DoS Vulnerability
+------------------------------------
A crafted SSL or HTTP packet may cause a DoS condition on a Cisco
ASA device that is configured to terminate SSL VPN connections. This
vulnerability can also be triggered to any interface where ASDM access
is enabled. A successful attack may result in a reload of the device. A
TCP three-way handshake is not needed to exploit this vulnerability.
Crafted TCP Packet DoS Vulnerability
+-----------------------------------
A crafted TCP packet may cause a memory leak on a Cisco ASA or Cisco PIX
device. A successful attack may result in a sustained DoS condition.
A Cisco ASA device configured for any of the following features is
affected:
* SSL VPNs
* ASDM Administrative Access
* Telnet Access
* SSH Access
* cTCP for Remote Access VPNs
* Virtual Telnet
* Virtual HTTP
* TLS Proxy for Encrypted Voice Inspection
* Cut-Through Proxy for Network Access
* TCP Intercept
Note: This vulnerability may be triggered when crafted packets are sent
to any TCP based service that terminates on the affected device. The
vulnerability may also be triggered via transient traffic only if the
TCP intercept features has been enabled. A TCP three-way handshake is
not needed to exploit this vulnerability.
Crafted H.323 Packet DoS Vulnerability
+-------------------------------------
A crafted H.323 packet may cause a DoS condition on a Cisco ASA device
that is configured with H.323 inspection. H.323 inspection is enabled by
default. A successful attack may result in a reload of the device. A TCP
three-way handshake is not needed to exploit this vulnerability. A series of SQL*Net packets
may cause a denial of service condition on a Cisco ASA and Cisco PIX
device that is configured with SQL*Net inspection. SQL*Net inspection is
enabled by default. A successful attack may result in a reload of the
device.
The default port assignment for SQL*Net is TCP port 1521. This is the
value used by Oracle for SQL*Net. Please note the "class-map" command
can be used in the Cisco ASA or Cisco PIX to apply SQL*Net inspection
to a range of different port numbers. A TCP three-way handshake is
needed to exploit this vulnerability. The requirement of a TCP three way
handshake significantly reduces the possibility of exploitation using
packets with spoofed source addresses.
Access Control List Bypass Vulnerability
+---------------------------------------
Access lists have an implicit deny behavior that is applied to packets
that have not matched any of the permit or deny ACEs in an ACL and reach
the end of the ACL. This implicit deny is there by design, does not
require any configuration and can be understood as an implicit ACE that
denies all traffic reaching the end of the ACL.
Note: This behavior only impacts the implicit deny statement on any
ACL applied on the device. Access control lists with explicit deny
statements are not affected by this vulnerability. This vulnerability is
experienced in very rare occasions and extremely hard to reproduce.
You can trace the lifespan of a packet through the security appliance
to see whether the packet is operating correctly with the packet tracer
tool. The "packet-tracer" command provides detailed information about
the packets and how they are processed by the security appliance. If a
command from the configuration did not cause the packet to drop, the
"packet-tracer" command will provide information about the cause in an
easily readable manner. You can use this feature to see if the implicit
deny on an ACL is not taking effect. The following example shows that
the implicit deny is bypassed (result = ALLOW):
<output truncated>
...
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1a09d350, priority=1, domain=permit, deny=false
hits=1144595557, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
<output truncated>
This vulnerability is documented in Cisco Bug ID CSCsq91277 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifiers
CVE-2009-1160.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* AAA account-override-ignore allows VPN session without correct
password (CSCsx47543)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 6.8
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Cisco ASA may crash with certain HTTP packets (CSCsv52239)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Cisco ASA may crash after processing certain TCP packets (CSCsy22484)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Crafted H.323 packet may cause ASA to reload (CSCsx32675)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* sqlnet traffic causes traceback with inspection configured
(CSCsw51809)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ACL Misbehavior in Cisco ASA (CSCsq91277)
CVSS Base Score - 4.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 3.6
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the VPN Authentication Bypass when Account
Override Feature is Used vulnerability may allow an attacker to
successfully connect to the Cisco ASA via remote access IPSec or
SSL-based VPN. Repeated exploitation could result in
a sustained DoS condition. Successful exploitation of the ACL bypass
vulnerability may allow an attacker to access resources that should be
protected by the Cisco ASA.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
The following table contains the first fixed software release of each
vulnerability. The "Recommended Release" row indicates the releases
which have fixes for all the published vulnerabilities at the time
of this Advisory. A device running a version of the given release in
a specific row (less than the First Fixed Release) is known to be
vulnerable. Cisco recommends upgrading to a release equal to or later
than the release in the "Recommended Release" row of the table.
+------------------------------------------------------+
| | Affected | First | Recommended |
| Vulnerability | Release | Fixed | Release |
| | | Version | |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| VPN | | vulnerable | |
|Authentication |----------+------------+-------------|
| Bypass when | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Account |----------+------------+-------------|
| Override | 7.2 | 7.2(4)27 | 7.2(4)30 |
|Feature is |----------+------------+-------------|
| Used | 8.0 | 8.0(4)25 | 8.0(4)28 |
|Vulnerability |----------+------------+-------------|
| | 8.1 | 8.1(2)15 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 7.1 | Not | 7.1(2)82 |
| Crafted HTTP | | vulnerable | |
|packet DoS |----------+------------+-------------|
| Vulnerability | 7.2 | Not | 7.2(4)30 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 8.0 | 8.0(4)25 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)15 | 8.1(2)16 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)6 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Crafted TCP |----------+------------+-------------|
| Packet DoS | 7.2 | 7.2(4)30 | 7.2(4)30 |
|Vulnerability |----------+------------+-------------|
| | 8.0 | 8.0(4)28 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)19 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)6 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)82 | 7.1(2)82 |
|Crafted H.323 |----------+------------+-------------|
| packet DoS | 7.2 | 7.2(4)26 | 7.2(4)30 |
|Vulnerability |----------+------------+-------------|
| | 8.0 | 8.0(4)24 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)14 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | Not | 7.0(8)6 |
| | | vulnerable | |
| |----------+------------+-------------|
| | 7.1 | Not | 7.1(2)82 |
| Crafted SQL | | vulnerable | |
|packet DoS |----------+------------+-------------|
| vulnerability | 7.2 | 7.2(4)26 | 7.2(4)30 |
| |----------+------------+-------------|
| | 8.0 | 8.0(4)22 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | 8.1(2)12 | 8.1(2)19 |
|----------------+----------+------------+-------------|
| | 7.0 | 7.0(8)1 | 7.0(8)6 |
| |----------+------------+-------------|
| | 7.1 | 7.1(2)74 | 7.1(2)82 |
|Access control |----------+------------+-------------|
| list (ACL) | 7.2 | 7.2(4)9 | 7.2(4)30 |
|bypass |----------+------------+-------------|
| vulnerability | 8.0 | 8.0(4)5 | 8.0(4)28 |
| |----------+------------+-------------|
| | 8.1 | Not | 8.1(2)19 |
| | | vulnerable | |
+------------------------------------------------------+
Fixed Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
Fixed Cisco PIX software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT
Workarounds
===========
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities and their respective workarounds are independent
of each other.
VPN Authentication Bypass Vulnerability
+--------------------------------------
The override account feature is enabled with the
"override-account-disable" command in "tunnel-group general-attributes"
configuration mode. As a workaround, disable this feature using the "no
override-account-disable" command.
Crafted HTTP Packet DoS Vulnerability
+------------------------------------
Devices configured for SSL VPN (clientless or client-based) or accepting
ASDM management connections are vulnerable.
Note: IPSec clients are not vulnerable to this vulnerability.
If SSL VPN (clientless or client-based) is not used, administrators
should make sure that ASDM connections are only allowed from trusted
hosts.
To identify the IP addresses from which the security appliance
accepts HTTPS connections for ASDM, configure the "http" command for
each trusted host address or subnet. The following example, shows
how a trusted host with IP address 192.168.1.100 is added to the
configuration:
hostname(config)# http 192.168.1.100 255.255.255.255
Crafted TCP Packet DoS Vulnerability
+-----------------------------------
There are no workarounds for this vulnerability.
Crafted H.323 Packet DoS Vulnerability
+-------------------------------------
H.323 inspection should be disabled if it is not needed. Temporarily
disabling the feature will mitigate this vulnerability. H.323 inspection
can be disabled with the command "no inspect h323".
SQL*Net Packet DoS Vulnerability
+-------------------------------
SQL*Net inspection should be disabled if it is not needed. Temporarily
disabling the feature will mitigate this vulnerability. SQL*Net
inspection can be disabled with the command "no inspect sqlnet".
Access Control List (ACL) Bypass Vulnerability
+---------------------------------------------
As a workaround, remove the "access-group" line applied on the interface
where the ACL is configured and re-apply it. For example:
ASA(config)#no access-group acl-inside in interface inside
ASA(config)#access-group acl-inside in interface inside
In the previous example the access group called "acl-inside" is removed
and reapplied to the inside interface. Alternatively, you can add an
explicit "deny ip any any" line in the bottom of the ACL applied on that
interface. For example:
ASA(config)#access-list 100 deny ip any any
In the previous example, an explicit deny for all IP traffic is added at
the end of "access-list 100".
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory, which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090408-asa.shtml.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
The crafted TCP packet DoS vulnerability was discovered and reported
to Cisco by Gregory W. MacPherson and Robert J. Combo from Verizon
Business.
The ACL bypass vulnerability was reported to Cisco by Jon Ramsey and
Jeff Jarmoc from SecureWorks.
The Cisco PSIRT greatly appreciates the opportunity to work with
researchers on security vulnerabilities, and welcomes the opportunity to
review and assist in product reports.
All other vulnerabilities were found during internal testing and during
the resolution of customer service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-April-08 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Apr 08, 2009 Document ID: 109974
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkncyUMACgkQ86n/Gc8U/uBS1ACeP7Toj7XSKuo/eaLfK6K4Gqzc
Q8EAn2anUwiQH4xV5NoNVt+3JiKn2LXQ
=Xi7D
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
SOLUTION:
Update to the fixed versions (please see the vendor advisory for
patch information).
PROVIDED AND/OR DISCOVERED BY:
3) The vendor credits Gregory W.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml
OTHER REFERENCES:
http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor