HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-23
Multiple vulnerabilities in Cisco Adaptive Security Appliance (ASA) and PIX security appliances

Original issue date: May 10, 2007

Severity Rating: Medium

Systems Affected

  • Cisco ASA and PIX security appliances with software versions 7.1 and 7.2

Overview

Multiple vulnerabilities exist in the Cisco Adaptive Security Appliance (ASA) and PIX security appliances namely: -

  • LDAP Authentication Bypass
  • Denial of Service in VPNs with Password Expiry
  • Denial of Service in SSL VPNs

Successful exploitation of the LDAP Authentication bypass may allow unauthorized users to access the device or internal resources. The DoS vulnerability in VPN password expiry may allow an attacker to disconnect VPN users, prevent new connections, or prevent the device from transmitting traffic.

Description

The PIX is a firewall appliance that delivers user and application policy enforcement, multi-vector attack protection, and secure connectivity services.

The Adaptive Security Appliance (ASA) is a modular platform that provides security and VPN services. The ASA offers firewall, intrusion prevention (IPS), anti-X, and VPN services. The vulnerabilities:

1. LDAP Authentication Bypass

To authenticate terminating L2TP IPSec tunnels or remote management session, Cisco devices use (Lightweight Directory Access Protocol) LDAP. Authentication vulnerability has been reported when The LDAP is used with CHAP, MS-CHAPv1, or MS-CHAPv2, instead of PAP.

Workaround

While using LDAP Authentication for L2TP over IPSec connections, PAP may be used as authentication protocol. For Security reason, communication can be secured with SSL. Further information can be referenced at:

http://www.cisco.com/en/US/partner/products/ps6120/
products_configuration_guide_chapter09186a008066ebb6.html http://www.cisco.com/en/US/partner/products/ps6121/
products_configuration_guide_chapter09186a00806a81bc.html

For remote management, remote telnet, ssh and http access are required to be enabled. More information in this matter is available at: http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/
v_7_2/conf_gd/sysadmin/mgaccess.htm

2. Denial of Service in VPNs with Password Expiry

Cisco ASA and PIX devices terminating remote access VPN connections may be vulnerable to a DoS attack if the tunnel group is configured with password expiry. This vulnerability can be successfully exploited with the known group name and group password. This may allow an attacker to disconnect VPN users, prevent new connections, or prevent the device from transmitting traffic.

Workaround

This vulnerability can be taken care by disabling password expiry. More information may be seen at:

http://www.cisco.com/en/US/products/ps6120/products_command_
reference_chapter09186a008063f0f8.html#wp1725278

3. Denial of Service in SSL VPNs

Cisco ASAs using clientless SSL VPNs are vulnerable to a denial of service attack via the SSL VPN HTTP server. A successful attack must exploit a race condition in the processing non-standard SSL sessions and may result in a reload of the device

Vendor Information

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20070502-asa.shtml
References

CIAC
http://www.ciac.org/ciac/bulletins/r-223.shtml

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003