sec.cloudapps.cisco.com
Open in
urlscan Pro
173.36.127.17
Public Scan
URL:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
Submission: On August 14 via manual from BR — Scanned from DE
Submission: On August 14 via manual from BR — Scanned from DE
Form analysis 1 forms found in the DOM
Name: pdfGeneration — POST /security/center/downloadPDF.pdf
<form action="/security/center/downloadPDF.pdf" "="" name=" pdfGeneration" method="post">
<input type="hidden" id="subpageId" value="cisco-sa-20141008-asa" name="tyID">
<input type="hidden" value="CiscoSecurityAdvisory" name="typeName">
<input type="hidden" value="Cisco Security Advisory" name="documentType">
<input type="hidden" value="Multiple Vulnerabilities in Cisco ASA Software" name="documentTitle">
<input type="hidden" id="pageId" value="AdvisoryContent">
<input type="hidden" id="userId" value="">
<input type="hidden" id="userFirstName" value="">
<input type="hidden" id="userLastName" value="">
<input type="hidden" id="appURL" value="https://sec.cloudapps.cisco.com/security/center/">
</form>Text Content
Home / Cisco Security / Security Advisories
CISCO SECURITY ADVISORY
MULTIPLE VULNERABILITIES IN CISCO ASA SOFTWARE
Critical
Advisory ID:
cisco-sa-20141008-asa
First Published:
2014 October 8 16:00 GMT
Last Updated:
2015 July 9 15:14 GMT
Version 3.0:
Interim
Workarounds:
See below
Cisco Bug IDs:
CSCtq52661
CSCul36176
CSCum00556
More...
,CSCtq52661,CSCul36176,CSCum00556,CSCum46027,CSCum56399,CSCum96401,CSCun10916,CSCun11074,CSCuo68327,CSCup36829,CSCuq28582,CSCuq29136,CSCuq41510,CSCuq47574
CVE-2014-3382
CVE-2014-3383
CVE-2014-3384
More...
CVE-2014-3382,CVE-2014-3383,CVE-2014-3384,CVE-2014-3385,CVE-2014-3386,CVE-2014-3387,CVE-2014-3388,CVE-2014-3389,CVE-2014-3390,CVE-2014-3391,CVE-2014-3392,CVE-2014-3393,CVE-2014-3394
CWE-16
CWE-20
CWE-287
More...
CWE-16,CWE-20,CWE-287,CWE-362,CWE-399,CWE-78
CVSS Score:
Base 9.0, Temporal 7.4Click Icon to Copy Verbose Score
AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVE-2014-3382
CVE-2014-3383
CVE-2014-3384
More...
CVE-2014-3382,CVE-2014-3383,CVE-2014-3384,CVE-2014-3385,CVE-2014-3386,CVE-2014-3387,CVE-2014-3388,CVE-2014-3389,CVE-2014-3390,CVE-2014-3391,CVE-2014-3392,CVE-2014-3393,CVE-2014-3394
CWE-16
CWE-20
CWE-287
More...
CWE-16,CWE-20,CWE-287,CWE-362,CWE-399,CWE-78
Email
SUMMARY
* 2015-July-08 UPDATE: Cisco PSIRT is aware of disruption to some Cisco
customers with Cisco ASA devices affected by CVE-2014-3383, the Cisco ASA VPN
Denial of Service Vulnerability that was disclosed in this Security Advisory.
Traffic causing the disruption was isolated to a specific source IPv4
address. Cisco has engaged the provider and owner of that device and
determined that the traffic was sent with no malicious intent. Cisco strongly
recommends that customers upgrade to a fixed Cisco ASA software release to
remediate this issue.
Cisco Adaptive Security Appliance (ASA) Software is affected by the following
vulnerabilities:
* Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
* Cisco ASA VPN Denial of Service Vulnerability
* Cisco ASA IKEv2 Denial of Service Vulnerability
* Cisco ASA Health and Performance Monitor Denial of Service Vulnerability
* Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service
Vulnerability
* Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
* Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
* Cisco ASA VPN Failover Command Injection Vulnerability
* Cisco ASA VNMC Command Input Validation Vulnerability
* Cisco ASA Local Path Inclusion Vulnerability
* Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service
Vulnerability
* Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
* Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
These vulnerabilities are independent of one another; a release that is
affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of the Cisco ASA SQL*NET Inspection Engine Denial of
Service Vulnerability, Cisco ASA VPN Denial of Service Vulnerability, Cisco
ASA IKEv2 Denial of Service Vulnerability, Cisco ASA Health and Performance
Monitor Denial of Service Vulnerability, Cisco ASA GPRS Tunneling Protocol
Inspection Engine Denial of Service Vulnerability, Cisco ASA SunRPC
Inspection Engine Denial of Service Vulnerability, and Cisco ASA DNS
Inspection Engine Denial of Service Vulnerability may result in a reload of
an affected device, leading to a denial of service (DoS) condition.
Successful exploitation of the Cisco ASA VPN Failover Command Injection
Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability, and
Cisco ASA Local Path Inclusion Vulnerability may result in full compromise of
the affected system.
Successful exploitation of the Cisco ASA Clientless SSL VPN Information
Disclosure and Denial of Service Vulnerability may result in the disclosure
of internal information or, in some cases, a reload of the affected system.
Successful exploitation of the Cisco ASA Clientless SSL VPN Portal
Customization Integrity Vulnerability may result in a compromise of the
Clientless SSL VPN portal, which may lead to several types of attacks, which
are not limited to cross-site scripting (XSS), stealing of credentials, or
redirects of users to malicious web pages.
Successful exploitation of the Cisco ASA Smart Call Home Digital Certificate
Validation Vulnerability may result in a digital certificate validation
bypass, which could allow the attacker to bypass digital certificate
authentication and gain access inside the network via remote access VPN or
management access to the affected system via the Cisco Adaptive Security
Device Management (ASDM).
Cisco has released software updates that address these vulnerabilities.
Workarounds that mitigate some of these vulnerabilities are available.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
AFFECTED PRODUCTS
* Cisco ASA Software running on the following products is affected by multiple
vulnerabilities:
* Cisco ASA 5500 Series Adaptive Security Appliances
* Cisco ASA 5500-X Series Next-Generation Firewalls
* Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and
Cisco 7600 Series Routers
* Cisco ASA 1000V Cloud Firewall
* Cisco Adaptive Security Virtual Appliance (ASAv)
Affected releases of Cisco ASA Software will vary depending on the specific
vulnerability. Consult the "Software Versions and Fixes" section of this
security advisory for more information about the affected releases.
VULNERABLE PRODUCTS
Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if SQL*Net inspection is
enabled.
To determine whether SQL*Net inspection is enabled, use the show
service-policy | include sqlnet command and verify that an output is
returned. The following example shows the Cisco ASA Software with SQL*Net
inspection enabled:
> ciscoasa# show service-policy | include sqlnet
> Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Note: SQL*Net inspection is enabled by default.
Cisco ASA VPN Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if the system is
configured to terminate IKEv1 and IKEv2 VPN connections. This includes
LAN-to-LAN, Remote Access VPN both via the IPSec VPN client and IKEv2
AnyConnect VPN, and L2TP over IPSec VPN connections. Clientless or AnyConnect
SSL VPNs are not affected by this vulnerability.
To determine if the Cisco ASA is configured to terminate IKEv1 or IKEv2 VPN
connections, a crypto map should be configured for at least one interface.
Administrators should use the show running-config crypto map | include
interface command and verify that it returns output. The following example
shows a crypto map called cmap configured on the outside interface:
> ciscoasa# show running-config crypto map | include interface
> crypto map outside_map interface outside
Note: IKEv1 or IKEv2 VPN are not configured by default.
Cisco ASA IKEv2 Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if the system is
configured to terminate IKEv2 VPN connections. This includes LAN-to-LAN IKEv2
and AnyConnect IKEv2 VPN connections. To determine whether IKEv2 VPN is
enabled use the show running-config crypto ikev2 | include enable command and
verify that the command returns output. The following example shows a Cisco
ASA with IKEv2 VPN enabled on the interface outside:
> ciscoasa# show running-config crypto ikev2 | include enable
> crypto ikev2 enable outside
In addition to having IKEv2 enabled, the Cisco ASA needs to have a crypto map
configured on the interface where IKEv2 is enabled. This can be determined by
using the show running-config crypto map | include interface command and
verifying that it returns output. The following example shows a crypto map
called cmap configured on the outside interface:
> ciscoasa# show running-config crypto map | include interface
> crypto map outside_map interface outside
Note: IKEv2 VPN is not enabled by default.
Cisco ASA Health and Performance Monitor Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if health and
performance monitoring (HPM) for ASDM is enabled.
To determine whether HPM is enabled, use the show running-config | include
hpm command and verify that an output is returned. The following example
shows the Cisco ASA Software with the HPM feature enabled:
> ciscoasa# show running-config | include hpm
> ciscoasa# hpm topn enable
Note: HPM is not enabled by default.
Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service
Vulnerability
Cisco ASA Software is affected by this vulnerability if GPRS Tunneling
Protocol (GTP) inspection is enabled.
To determine whether GTP inspection is enabled, use the show service-policy |
include gtp command and verify that an output is returned. The following
example shows the Cisco ASA Software with GTP inspection enabled:
> ciscoasa# show service-policy | include gtp
> Inspect: gtp, packet 0, drop 0, reset-drop 0
Note: GTP inspection is not enabled by default.
Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if SunRPC inspection is
enabled.
To determine whether SunRPC inspection is enabled, use the show
service-policy | include sunrpc command and verify that an output is
returned. The following example shows the Cisco ASA Software with SunRPC
inspection enabled:
> ciscoasa# show service-policy | include sunrpc
> Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Note: SunRPC inspection is enabled by default.
Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if DNS inspection is
enabled.
To determine whether DNS inspection is enabled, use the show service-policy |
include dns command and verify that an output is returned. The following
example shows the Cisco ASA Software with DNS inspection enabled:
> ciscoasa# show service-policy | include dns
> Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Note: DNS inspection is enabled by default.
Cisco ASA VPN Failover Command Injection Vulnerability
Cisco ASA Software is affected by this vulnerability if the system is
configured to terminate any type of VPN connections, except Clientless SSL
VPN, and it is configured in high availability (HA) mode (also known as
failover mode).
Administrators can use the show running-config crypto map | include interface
command to verify if any type of IKEv1 or IKEv2 IPSec VPNs are configured on
the system and the show running-config webvpn | include anyconnect command to
verify if AnyConnect SSL VPN is configured. The following example shows a
Cisco ASA with both IPSec and AnyConnect SSL VPNs configured:
> ciscoasa# show running-config webvpn | include anyconnect enable
> anyconnect enable
> ciscoasa# show run crypto map | include interface
> crypto map outside_map interface outside
Administrators can use the show failover command and verify that the failover
is ON to determine if high availability mode is configured. The following
example shows a Cisco ASA with high availability mode enabled:
> ciscoasa# show failover
> Failover On
> [...]
Note: This vulnerability affects only HA configurations that do not use a
failover key to protect failover traffic. HA and VPN are not enabled by
default.
Cisco ASA VNMC Command Input Validation Vulnerability
All Cisco ASA running an affected version of software are affected by this
vulnerability.
Cisco ASA Local Path Inclusion Vulnerability
All Cisco ASA running an affected version of software are affected by this
vulnerability.
Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service
Vulnerability
Cisco ASA Software is affected by this vulnerability if the Clientless SSL
VPN portal is enabled. To determine whether the Clientless SSL VPN portal is
enabled use the show running-config webvpn command and verify that webvpn is
enabled on at least one interface. The following example shows a Cisco ASA
with the Clientless SSL VPN portal enabled on the outside interface:
> ciscoasa# show running-config webvpn
> webvpn
> enable outside
> [...]
Note: The Clientless SSL VPN portal is not enabled by default.
Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
Cisco ASA Software is affected by this vulnerability if the following
conditions are met:
1. Clientless SSL VPN portal functionality is enabled
2. A default customization object or a newly created customization object
for Clientless SSL VPN portal has to be previewed in ASDM
To determine whether the Clientless SSL VPN portal is enabled use the show
running-config webvpn command and verify that webvpn is enabled at least on
one interface. The following example shows a Cisco ASA with the Clientless
SSL VPN portal enabled on the outside interface:
> ciscoasa# show running-config webvpn
> webvpn
> enable outside
> [...]
There is no method to determine if a preview of a customization object has
been done. The following method is used to preview a customization object. In
ASDM navigate to CLIENTLESS SSL VPN ACCESS -> PORTAL -> CUSTOMIZATION ->
PREVIEW.
Additional Indicator of Compromise for Cisco ASA Clientless SSL VPN Portal
Customization Integrity Vulnerability
Customers running a vulnerable configuration should verify that the portal
customization has not been compromised. Customers can verify that the portal
has not been compromised by exporting the customization objects and manually
verifying that the objects do not include malicious code.
The new custom object and default customization object (DfltCustomization)
should be analyzed. To export an SSL VPN portal customization object, use the
export webvpn customization command, where the is the name of the SSL VPN
portal customization object being exported and is the name of the file that
will include a copy of the customization object.
The following example shows how to export the default customization object
DfltCustomization to a file called Customization_to_verify
> ciscoasa# export webvpn customization DfltCustomization Customization_to_verify
The Customization_to_verify file is stored on the device disk and can be
exported for further analysis.
Customers should repeat this process for all of the customization objects
that are present on the system.
>
Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
Cisco ASA Software is affected by this vulnerability if the Smart Call Home
(SCH) feature is configured or has been configured on the system. When the
feature is configured, a digital certificate trustpoint called
_SmartCallHome_ServerCA is automatically installed on the system. To
determine whether this trustpoint is installed, use the show running-config
crypto ca trustpoint _SmartCallHome_ServerCA command and verify that it
returns output. The following example shows a Cisco ASA with this trustpoint
installed:
> ciscoasa# show running-config crypto ca trustpoint _SmartCallHome_ServerCA
> crypto ca trustpoint _SmartCallHome_ServerCA
> crl configure
Note: The presence of this trustpoint would make the system vulnerable;
however, this vulnerability cannot be exploited unless there is another
feature configured that relies on digital certificates validation services.
Examples of these features are digital certificate authentication for VPN or
ASDM connections or TLS-Proxy and Phone-proxy. SCH is not enabled by default.
PRODUCTS CONFIRMED NOT VULNERABLE
No other Cisco products are currently known to be affected by these
vulnerabilities.
DETAILS
* Cisco Adaptive Security Appliance (ASA) Software is the operating system
used by the Cisco ASA 5500 Series Adaptive Security Appliances, the Cisco
ASA 5500-X Next Generation Firewall, the Cisco ASA Services Module (ASASM)
for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, the
Cisco ASA 1000V Cloud Firewall, and the Cisco Adaptive Security Virtual
Appliance (ASAv). The Cisco ASA family provides network security services
such as firewall, intrusion prevention system (IPS), anti...
Cisco Adaptive Security Appliance (ASA) Software is the operating system
used by the Cisco ASA 5500 Series Adaptive Security Appliances, the Cisco
ASA 5500-X Next Generation Firewall, the Cisco ASA Services Module (ASASM)
for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, the
Cisco ASA 1000V Cloud Firewall, and the Cisco Adaptive Security Virtual
Appliance (ASAv). The Cisco ASA family provides network security services
such as firewall, intrusion prevention system (IPS), anti-X, and VPN.
Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
A vulnerability in SQL*Net inspection engine code could allow an
unauthenticated, remote attacker to cause a reload of the affected system.
The vulnerability is due to improper handling of crafted SQL REDIRECT
packets. An attacker could exploit this vulnerability by sending a crafted
sequence of REDIRECT packets through the affected system.
Note: Only transit traffic that is inspected by the Cisco ASA SQL*Net
inspection engine can be used to exploit this vulnerability. This
vulnerability affects both routed and transparent firewall mode in both
single and multiple context mode. This vulnerability can be triggered by
IP version 4 (IPv4) and IP version 6 (IPv6) traffic.
This vulnerability is documented in Cisco bug ID CSCum46027 (registered
customers only) and has been assigned Common Vulnerabilities and Exposures
(CVE) ID CVE-2014-3382.
Cisco ASA VPN Denial of Service Vulnerability
A vulnerability in the IKE code of Cisco Adaptive Security Appliance (ASA)
Software could allow an unauthenticated, remote attacker to cause the
reload of an affected system.
The vulnerability is due to insufficient validation of UDP packets. An
attacker could exploit this vulnerability by sending crafted UDP packets
to the affected system. An exploit could allow an attacker to cause a
reload of an affected system.
Note: Only traffic directed to the affected system can be used to exploit
this vulnerability. This vulnerability affects systems configured in
routed firewall mode only and in single or multiple context mode. This
vulnerability can be triggered by IP version 4 (IPv4) and IP version 6
(IPv6) traffic.
This vulnerability is documented in Cisco bug ID CSCul36176 (registered
customers only) and has been assigned CVE ID CVE-2014-3383.
Cisco ASA IKEv2 Denial of Service Vulnerability
A vulnerability in the IKEv2 code of Cisco ASA Software could allow an
unauthenticated, remote attacker to cause the reload of an affected
system.
The vulnerability is due to improper handling of crafted IKEv2 packets. An
attacker could exploit this vulnerability by sending a crafted packet
during the establishment of an IKEv2 tunnel. An exploit could allow the
attacker to cause a reload of the affected system leading to a DoS
condition
Note: Only traffic directed to the affected system can be used to exploit
this vulnerability. This vulnerability affects systems configured in
routed firewall mode only and in single or multiple context mode. This
vulnerability can be triggered by IPv4 and IPv6 traffic.
This vulnerability is documented in Cisco bug ID CSCum96401 (registered
customers only) and has been assigned CVE ID CVE-2014-3384.
Cisco ASA Health and Performance Monitor Denial of Service Vulnerability
A vulnerability in Health and Performance Monitoring (HPM) for ASDM
functionality of Cisco Adaptive Security Appliance (ASA) Software could
allow an unauthenticated, remote attacker to cause a reload of an affected
device and eventual denial of service (DoS) condition.
The vulnerability is due to a race condition in the operation of the HPM
functionality. An attacker could exploit this vulnerability by sending a
large number of half-open simultaneous connections to be established
through the affected device. An exploit could allow the attacker to cause
a reload of an affected device, which could lead to a DoS condition.
Note: Only transit TCP traffic can be used to exploit this vulnerability.
This vulnerability affects both routed and transparent firewall mode in
both single and multiple context mode. This vulnerability can be triggered
by IPv4 and IPv6 traffic.
This vulnerability is documented in Cisco bug ID CSCum00556 (registered
customers only) and has been assigned CVE ID CVE-2014-3385.
Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service
Vulnerability
A vulnerability in the GPRS Tunneling Protocol (GTP) inspection engine of
Cisco Adaptive Security Appliance (ASA) Software could allow an
unauthenticated, remote attacker to cause the reload of an affected
system.
The vulnerability is due to improper handling of GTP packets when sent in
a specific sequence. An attacker could exploit this vulnerability by
sending crafted GTP packets through an affected system. An exploit could
allow the attacker to cause the reload of an affected system
Note: Only transit traffic that is inspected by the Cisco ASA GTP
inspection engine can be used to exploit this vulnerability. This
vulnerability affects both routed and transparent firewall mode in both
single and multiple context mode. This vulnerability can only be triggered
by IPv4 traffic.
This vulnerability is documented in Cisco bug ID CSCum56399 (registered
customers only) and has been assigned CVE ID CVE-2014-3386.
Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
A vulnerability in the SunRPC inspection engine of Cisco Adaptive Security
Appliance (ASA) Software could allow an unauthenticated, remote attacker
to cause the reload of an affected system.
The vulnerability is due to insufficient validation of crafted SunRPC
packets. An attacker could exploit this vulnerability by sending crafted
SunRPC packets through the affected system. An exploit could allow the
attacker to cause the reload of an affected system.
Note: Only transit traffic that is inspected by the Cisco ASA SunRPC
inspection engine can be used to exploit this vulnerability. This
vulnerability affects both routed and transparent firewall mode in both
single and multiple context mode. This vulnerability can be triggered by
IPv4 and IPv6 traffic.
This vulnerability is documented in Cisco bug ID CSCun11074 (registered
customers only) and has been assigned CVE ID CVE-2014-3387.
Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
A vulnerability in the DNS inspection engine of Cisco Adaptive Security
Appliance (ASA) Software could allow an unauthenticated, remote attacker
to cause the reload of an affected system.
The vulnerability is due to insufficient validation of crafted DNS
packets. An attacker could exploit this vulnerability by sending crafted
DNS packets through the affected system. An exploit could allow the
attacker to cause the reload of an affected system.
Note: Only transit traffic that is inspected by the Cisco ASA DNS
inspection engine can be used to exploit this vulnerability. This
vulnerability affects both routed and transparent firewall mode in both
single and multiple context mode. This vulnerability can be triggered by
IPv4 and IPv6 traffic.
This vulnerability is documented in Cisco bug ID CSCuo68327 (registered
customers only) and has been assigned CVE ID CVE-2014-3388.
Cisco ASA VPN Failover Command Injection Vulnerability
A vulnerability in the VPN code of Cisco ASA Software could allow an
authenticated, remote attacker to submit configuration commands to the
standby unit via the failover interface. As result, an attacker could be
able to take full control of both the active and standby failover units.
The vulnerability is due to improper implementation of the internal filter
for packets coming from an established VPN tunnel. An attacker could
exploit this vulnerability by sending crafted packets directed to the
failover interface IP address.
Note: Only traffic directed to the affected system can be used to exploit
this vulnerability. This vulnerability affects only systems configured in
routed firewall mode and in single or multiple context mode. This
vulnerability can be triggered by IPv4 and IPv6 traffic.
This vulnerability is documented in Cisco bug ID CSCuq28582 (registered
customers only) and has been assigned CVE ID CVE-2014-3389.
Cisco ASA VNMC Command Input Validation Vulnerability
A vulnerability in the Virtual Network Management Center (VNMC) policy
code of Cisco Adaptive Security Appliance (ASA) Software could allow an
authenticated, local attacker to access the underlying Linux operating
system with the privileges of the root user.
The vulnerability is due to insufficient sanitization of user supplied
input. An attacker could exploit this vulnerability by logging in to an
affected system as administrator, copying a malicious script onto the
disk, and executing the script.
Note: Only traffic directed to the affected system can be used to exploit
this vulnerability. This vulnerability affects both routed and transparent
firewall mode in both single and multiple context mode. In default
configuration, Administration or privilege 15 access is needed in order to
exploit this vulnerability.
This vulnerability is documented in Cisco bug ID CSCuq41510 (registered
customers only) and CSCuq47574 (registered customers only) and has been
assigned CVE ID CVE-2014-3390.
Cisco ASA Local Path Inclusion Vulnerability
A vulnerability in the function that exports environment variables of
Cisco ASA Software could allow an authenticated, local attacker to inject
a malicious library and take complete control of the system.
The vulnerability is due to improper setting of the LD_LIBRARY_PATH
environment. An attacker could exploit this vulnerability by copying a
malicious library onto the affected system's external memory and
triggering a reload of the system. An exploit could allow the attacker to
force the affected system to load a malicious library and access the
underlying Linux OS, which could lead to a full compromise of the system.
Note: Only traffic directed to the affected system can be used to exploit
this vulnerability. This vulnerability affects both routed and transparent
firewall mode in both single and multiple context mode. In order to
exploit this vulnerability a reload of the system is needed. In default
configuration, Administration or privilege 15 access is needed in order to
exploit this vulnerability.
This vulnerability is documented in Cisco bug ID CSCtq52661 (registered
customers only) and has been assigned CVE ID CVE-2014-3391.
Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service
Vulnerability
A vulnerability in the Clientless SSL VPN portal feature could allow an
unauthenticated, remote attacker to access random memory locations. Due to
this vulnerability, the attacker may be able to access the information
stored in memory and in some cases may be able to corrupt this portion of
memory, which could lead to a reload of the affected system.
The vulnerability is due to insufficient sanitization of user-supplied
input. An attacker could exploit this vulnerability by setting random
values on parameters passed during access to the Clientless SSL VPN
portal.
Note: Only traffic directed to the affected system can be used to exploit
this vulnerability. This vulnerability affects only systems configured in
routed firewall mode and only in single context mode. This vulnerability
can be triggered by IPv4 and IPv6 traffic. A valid TCP handshake is
required to exploit this vulnerability.
This vulnerability is documented in Cisco bug ID CSCuq29136 (registered
customers only) and has been assigned CVE ID CVE-2014-3392.
Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
A vulnerability in the Clientless SSL VPN portal customization framework
could allow an unauthenticated, remote attacker to modify the content of
the Clientless SSL VPN portal, which could lead to several attacks
including the stealing of credentials, cross-site scripting (XSS), and
other types of web attacks on the client using the affected system.
The vulnerability is due to a improper implementation of authentication
checks in the Clientless SSL VPN portal customization framework. An
attacker could exploit this vulnerability by modifying some of the
customization objects in the RAMFS cache file system. An exploit could
allow the attacker to bypass Clientless SSL VPN authentication and modify
the portal content.
Note: Only traffic directed to the affected system can be used to exploit
this vulnerability. This vulnerability affects only systems configured in
routed firewall mode and only in single context mode. This vulnerability
can be triggered by IPv4 and IPv6 traffic. A valid TCP handshake is
required to exploit this vulnerability.
This vulnerability is documented in Cisco bug ID CSCup36829 (registered
customers only) and has been assigned CVE ID CVE-2014-3393.
Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
A vulnerability in the Smart Call Home (SCH) feature of Cisco ASA Software
could allow an unauthenticated, remote attacker to bypass digital
certificate validation if any feature that uses digital certificates is
configured on the affected system.
The vulnerability exists because when SCH is configured, a trustpoint,
including a VeriSign certificate, is automatically installed. An attacker
could exploit this vulnerability by presenting a valid certificate signed
by VeriSign when authenticating to the affected system. An exploit could
allow the attacker, for example, to bypass digital certificate
authentication when used by a given feature. Examples of features that
could be configured to use digital certificates validation include VPN and
Adaptive Security Device Management (ASDM) authentication, TLS Proxy, and
Phone Proxy.
Note: Only traffic directed to the affected system can be used to exploit
this vulnerability. This vulnerability affects both routed and transparent
firewall mode in both single and multiple context mode. This vulnerability
can be triggered by IPv4 and IPv6 traffic. A valid TCP handshake is
required to exploit this vulnerability.
This vulnerability is documented in Cisco bug ID CSCun10916 (registered
customers only) and has been assigned CVE ID CVE-2014-3394.
More...
WORKAROUNDS
* For the following vulnerabilities there is no workaround except disabling
the affected feature:
* Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
* Cisco ASA VPN Denial of Service Vulnerability
* Cisco ASA IKEv2 Denial of Service Vulnerability
* Cisco ASA Health and Performance Monitor Denial of Service
Vulnerability
* Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service
Vulnerability
* Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
* Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
* Cisco ASA VNMC Command Input Validation Vulnerability
* Cisco ASA Local Path Inclusion Vulnerability
* Cisco ASA Clientless SSL VPN Information Disclosure and Denial of
Service Vulnerability
* Cisco ASA Clientless SSL VPN Portal Customization Integrity
Vulnerability
* Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
Note: For the Cisco ASA Smart Call Home Digital Certificate Validation
Vulnerability, removing the SCH configuration will not remove the
trustpoint. In order to eliminate the trustpoint, the administrator should
use the no crypto ca trustpoint command. The following example shows how
to remove the trustpoint enabled by the SCH feature. Removing this
trustpoint will cause SCH to stop working correctly.
> ciscoasa(config)# no crypto ca trustpoint _SmartCallHome_ServerCA
For the Cisco ASA VPN Failover Command Injection Vulnerability,
configuring a failover key would provide a workaround for this issue. To
configure a failover key, use the failover key command. The following
example shows how to configure a failover key named cisco-key:
> ciscoasa(config)#failover key cisco-key
Note: The use of the failover ipsec command will not provide a workaround
to this issue.
FIXED SOFTWARE
* When considering software upgrades, customers are advised to consult the
Cisco Security Advisories, Responses, and Notices archive at
http://www.cisco.com/go/psirt and review subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Each row of the following Cisco ASA Software table lists the first fixed
release for each of the vulnerabilities described in this advisory for
each Cisco ASA major release. The last row of the table gives information
about the release version that includes the fix for all the
vulnerabilities described in this advisory for each Cisco ASA major
release. Customers should upgrade to a release that is equal to or later
than these release versions.
7.2
8.2
8.3
8.4
8.5
8.6
8.7
9.0
9.1
9.2
9.3 CSCum46027 - Cisco ASA SQL*NET Inspection Engine Denial of Service
Vulnerability
7.2(5.13)
8.2(5.50)
8.3(2.42)
8.4(7.15)
8.5(1.21)
8.6(1.14)
8.7(1.13)
9.0(4.5)
9.1(5.1)
Not Affected Not Affected CSCul36176 - Cisco ASA VPN Denial of Service
Vulnerability
Not Affected
Not Affected
Not Affected
Not Affected
Not Affected
Not Affected
Not Affected
Not Affected
9.1(5.1)1
Not Affected Not Affected CSCum96401 - Cisco ASA IKEv2 Denial of Service
Vulnerability Not Affected Not Affected Not Affected 8.4(7.15) Not
Affected 8.6(1.14) Not Affected 9.0(4.8) 9.1(5.1) Not Affected Not
Affected CSCum00556 - Cisco ASA Health and Performance Monitor Denial of
Service Vulnerability
Not Affected
Not Affected
8.3(2.42)
8.4(7.11)
8.5(1.19)
8.6(1.13)
8.7(1.11)
9.0(4.8)
9.1(4.5)
Not Affected Not Affected CSCum56399 - Cisco ASA GPRS Tunneling Protocol
Inspection Engine Denial of Service Vulnerability
Not Affected
8.2(5.51)
Not Affected
8.4(7.15)
Not Affected
Not Affected
8.7(1.13)
9.0(4.8)
9.1(5.1)
Not Affected Not Affected CSCun11074 - Cisco ASA SunRPC Inspection Engine
Denial of Service Vulnerability 7.2(5.14) 8.2(5.51) 8.3(2.42) 8.4(7.23)
8.5(1.21) 8.6(1.14) 8.7(1.13)
9.0(4.5) 9.1(5.3) Not Affected Not Affected CSCuo68327 - Cisco ASA DNS
Inspection Engine Denial of Service Vulnerability Not Affected Not
Affected Not Affected Not Affected Not Affected Not Affected Not Affected
9.0(4.13)2 9.1(5.7)2 9.2(2) Not Affected
CSCuq28582 - Cisco ASA VPN Failover Command Injection Vulnerability
7.2(5.15) 8.2(5.51) 8.3(2.42) 8.4(7.23)
Not Affected 8.6(1.15) Not Affected
9.0(4.24) 9.1(5.12) 9.2(2.6) 9.3(1.1)
CSCuq41510 and CSCuq47574 - Cisco ASA VNMC Command Input Validation
Vulnerability
Not Affected Not Affected Not Affected Not Affected Not Affected Not
Affected 8.7(1.14) Not Affected Not Affected 9.2(2.8) 9.3(1.1)
CSCtq52661 - Cisco ASA Local Path Inclusion Vulnerability Not Affected
8.2(5.52)
Not Available - Upgrade to 8.4 or later 8.4(3) Not Available - Upgrade to
9.0 or later Not Affected
8.7(1.13) Not Affected
Not Affected
Not Affected Not Affected CSCuq29136 - Cisco ASA Clientless SSL VPN
Information Disclosure and Denial of Service Vulnerability Not Affected
8.2(5.51) 8.3(2.42) 8.4(7.23) Not Affected 8.6(1.15) Not Affected
9.0(4.24) 9.1(5.12) 9.2(2.8) 9.3(1.1) CSCup36829 - Cisco ASA Clientless
SSL VPN Portal Customization Integrity Vulnerability3 Not Affected
8.2(5.51)3 8.3(2.42)3 8.4(7.23)3
Not Affected 8.6(1.14)3
Not Affected 9.0(4.24)3 9.1(5.12)3 9.2(2.4)3
Not Affected
CSCun10916 - Cisco ASA Smart Call Home Digital Certificate Validation
Vulnerability Not Affected 8.2(5.50) Not Affected 8.4(7.15) Not Affected
8.6(1.14) 8.7(1.13) 9.0(4.8) 9.1(5.1) Not Affected
Not Affected
Recommended release that fixes all the vulnerabilities in this security
advisory 7.2(5.15) and later
8.2(5.52) and later Not Available - Upgrade to 8.4 or later 8.4(7.23) and
later Not Available - Upgrade to 9.0 or later
8.6(1.15) and later 8.7(1.14) and later 9.0(4.24) and later 9.1(5.12) and
later 9.2(2.8) and later 9.3(1.1) and later
1The Cisco ASA VPN Denial of Service Vulnerability was introduced in Cisco
ASA Software release 9.1(4.3)
2The Cisco ASA DNS Inspection Engine Denial of Service Vulnerability was
introduced in Cisco ASA Software releases 9.0(4.8) and 9.1(5.2).
3Customers affected by the Cisco ASA Clientless SSL VPN Portal
Customization Integrity Vulnerability should read the "Important Note
about Cisco ASA Clientless SSL VPN Portal Customization Integrity
Vulnerability" section for additional information on how to mitigate this
vulnerability.
Note: Cisco ASA Software release 9.3(1.1) will be available by November
10, 2014
Important Note about Cisco ASA Clientless SSL VPN Portal Customization
Integrity Vulnerability
Customers running a vulnerable configuration, regardless of the software
release, should verify that the portal customization has not been
compromised. While upgrading to a fixed version of Cisco ASA Software
prevents this vulnerability from being exploited further, it will not
modify any customization objects that have already been compromised and
are present on the system. If an attacker has already compromised a
customization object, the compromised object will stay persistent after
the upgrade.
To verify whether a customization object has been compromised, follow the
instruction in "Additional Indicator of Compromise for Cisco ASA
Clientless SSL VPN Portal Customization Integrity Vulnerability" that are
included in the "Vulnerable Products" section of this advisory.
The following method can be used to restore the default customization
object (DfltCustomization):
1. Export the default template to a file. The following example shows how
to export the default template to a file called default_template
> ciscoasa# export webvpn customization Template default_template
2. Import the default template as default customization object
(DfltCustomization):
> > ciscoasa# import webvpn customization DfltCustomization default_template
Note: This will override any changes done to the default customization
object (DfltCustomization). It is not possible to remove the default
customization object (DfltCustomization) from the system.
The import webvpn customization command can also be used to restore
non-default customization objects after these have been manually edited
and verified. It is possible to remove any non-default customization
object by using ASDM and navigating to CLIENTLESS SSL VPN ACCESS -> PORTAL
-> CUSTOMIZATION. In the CUSTOMIZATION panel, select the non-default
customization objects and click on Delete.
SOFTWARE DOWNLOAD
Cisco ASA Software can be downloaded from the Software Center on Cisco.com
by visiting http://www.cisco.com/cisco/software/navigator.html
For Cisco ASA 5500 Series Adaptive Security Appliances and Cisco ASA
5500-X Next Generation Firewall navigate to Products > Security >
Firewalls > Adaptive Security Appliances (ASA) > Cisco ASA 5500 Series
Adaptive Security Appliances > > Adaptive Security Appliance (ASA)
Software. Please note that some of these versions are interim versions and
can be found by expanding the Interim tab on the download page.
For the Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches
and Cisco 7600 Series Routers, navigate to Products > Cisco Interfaces and
Modules > Cisco Services Modules > Cisco Catalyst 6500 Series / 7600
Series ASA Services Module > Adaptive Security Appliance (ASA) Software.
Please note that some of these versions are interim versions and can be
found by expanding the Interim tab on the download page.
For the Cisco ASA 1000V Cloud Firewall, navigate to Products > Security >
Firewalls > Adaptive Security Appliances (ASA) > Cisco ASA 1000V Cloud
Firewall > Adaptive Security Appliance (ASA) Software.
For the Cisco Adaptive Security Virtual Appliance (ASAv), navigate to
Products > Security > Firewalls > Adaptive Security Appliances (ASA) >
Cisco Adaptive Security Virtual Appliance (ASAv) > Adaptive Security
Appliance (ASA) Software.
EXPLOITATION AND PUBLIC ANNOUNCEMENTS
* The Cisco ASA VPN Failover Command Injection Vulnerability, Cisco ASA VNMC
Command Input Validation Vulnerability, and Cisco ASA Clientless SSL VPN
Portal Customization Integrity Vulnerability were reported to Cisco by
Alec Stuart-Muirk.
Exploitation of the Cisco ASA VPN Failover Command Injection
Vulnerability, Cisco ASA VNMC Command Input Validation Vulnerability,
Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability,
and Cisco ASA Local Path Inclusion Vulnerability have been demonstrated at
the Ruxcon 2014 security conference by Alec Stuart-Muirk.
The Cisco ASA Clientless SSL VPN Information Disclosure and Denial of
Service Vulnerability was reported to Cisco by Hyrum M from
SecurityMetrics.
A blog post by Hyrum M is also publicly available that demonstrates an
exploit of this vulnerability.
All the other vulnerabilities described in this advisory have been found
during internal tests or during the resolution of support cases.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements concerning the other vulnerabilities described in
this advisory.
The Cisco PSIRT is aware of malicious use of the Cisco ASA Clientless SSL
VPN Portal Customization Integrity Vulnerability.
Customer are advise to read through the "Important Note about Cisco ASA
Clientless SSL VPN Portal Customization Integrity Vulnerability" in the
"Software Versions and Fixes" section of this security advisory and to
upgrade to a version that includes the fix for this vulnerability
2015-July-08 UPDATE: Cisco PSIRT is aware of disruption to some Cisco
customers with Cisco ASA devices affected by CVE-2014-3383, the Cisco ASA
VPN Denial of Service Vulnerability that was disclosed in this Security
Advisory. Traffic causing the disruption was isolated to a specific source
IPv4 address. Cisco has engaged the provider and owner of that device and
determined that the traffic was sent with no malicious intent. Cisco
strongly recommends that customers upgrade to a fixed Cisco ASA software
release to remediate this issue.
The Cisco PSIRT is not aware of malicious use of the other vulnerabilities
that are described in this advisory.
CISCO SECURITY VULNERABILITY POLICY
* To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
SUBSCRIBE TO CISCO SECURITY NOTIFICATIONS
* Subscribe
ACTION LINKS FOR THIS ADVISORY
* Snort Rule 3:32114
Snort Rule 3:32101
Snort Rule 3:32107
Snort Rule 3:32108
Snort Rule 3:32115
Snort Rule 3:32116
Snort Rule 3:32110
Snort Rule 3:32111
Snort Rule 3:32112
Snort Rule 3:32113
Snort Rule 3:32106
Show All 11...
RELATED TO THIS ADVISORY
* Cisco ASA Authenticated Linux Shell Access Vulnerability
Cisco ASA Local Path Inclusion Vulnerability
Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
Cisco PSIRT ? Notice about public exploitation of the Cisco ASA Clientless
SSL VPN Portal Customization Integrity Vulnerability
Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Denial of Service Vulnerability
Cisco ASA IKEv2 Denial of Service Vulnerability
Cisco ASA Health and Performance Monitor Denial of Service Vulnerability
Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service
Vulnerability
Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Failover Commands Injection Vulnerability
Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service
Vulnerability
Show All 14...
URL
* https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
REVISION HISTORY
* Revision 3.0 2015-July-09 Moved the July 8 update information to the top
of the Summary section. Revision 3.0 2015-July-08 Updated the ?Summary?
and ?Exploitation and Public Announcements" sections of this advisory with
additional information on CSCul36176 - Cisco ASA VPN Denial of Service
Vulnerability. Revision 2.0 2015-February-11 Added important information
about Cisco ASA Clientless SSL VPN Portal Customization Integrity
Vulnerability - CSCup36829 - in the "Vulnerable Products," "Software
Versions and Fixes," and "Exploitation and Public Announcements" sections
of this advisory. Revision 1.2 2015-January-13 Added information about
first fixed release for CSCtq52661. Revision 1.1 2014-October-24 Updated
the target date for Cisco ASA Software version 9.3(1.1) and the
"Exploitation and Public Announcements" Section. Revision 1.0
2014-October-08 Initial public release.
Show Complete History...
--------------------------------------------------------------------------------
LEGAL DISCLAIMER
* THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO
UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
A stand-alone copy or paraphrase of the text of this document that omits
the distribution URL is an uncontrolled copy, and may lack important
information or contain factual errors. The information in this document is
intended for end-users of Cisco products.
FEEDBACK
*
Leave additional feedback
CISCO SECURITY VULNERABILITY POLICY
* To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
SUBSCRIBE TO CISCO SECURITY NOTIFICATIONS
* Subscribe
ACTION LINKS FOR THIS ADVISORY
* Snort Rule 3:32114
Snort Rule 3:32101
Snort Rule 3:32107
Snort Rule 3:32108
Snort Rule 3:32115
Snort Rule 3:32116
Snort Rule 3:32110
Snort Rule 3:32111
Snort Rule 3:32112
Snort Rule 3:32113
Snort Rule 3:32106
Show All 11...
RELATED TO THIS ADVISORY
* Cisco ASA Authenticated Linux Shell Access Vulnerability
Cisco ASA Local Path Inclusion Vulnerability
Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
Cisco PSIRT ? Notice about public exploitation of the Cisco ASA Clientless
SSL VPN Portal Customization Integrity Vulnerability
Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Denial of Service Vulnerability
Cisco ASA IKEv2 Denial of Service Vulnerability
Cisco ASA Health and Performance Monitor Denial of Service Vulnerability
Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service
Vulnerability
Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
Cisco ASA VPN Failover Commands Injection Vulnerability
Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service
Vulnerability
Show All 14...
YOUR RATING:
YOUR RATING:
PLEASE LOG IN TO RATE
Log In Cancel
Average Rating:
5 star
4 star
3 star
2 star
1 star
Leave additional feedback
Feedback