CERT-In Advisory CIAD-2008-27
Multiple Vulnerabilities of Security bypass and DoS in Cisco PIX and Cisco ASA

Original issue date: June 09, 2008

Severity Rating: High

Systems Affected

•  Cisco Adaptive Security Appliance (ASA) 7.x
•  Cisco Adaptive Security Appliance (ASA) 8.x
•  Cisco PIX 7.x
•  Cisco PIX 8.x

Overview

Multiple vulnerabilities have been reported in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances which can be exploited by malicious people to cause Denial of Service (DoS)condition or to bypass control-plane access control lists (ACL).

Description

Cisco PIX is a dedicated Hardware Firewall appliance. A Cisco ASA is a firewall and anti malware security appliance from Cisco System. The ASA (Adopted Security Algorithm) could take the place of three separate devices--a Cisco PIX firewall, a Cisco VPN Concentrator, and a Cisco IPS. The following vulnerabilities have been reported in Cisco PIX and ASA 5500 appliances.

1. Crafted TCP ACK Packet Vulnerability (CVE-2008-2055)

The vulnerability exists due to an error that may occur when processing malformed TCP ACK packets sent to the Telnet, SSH, Adaptive Security Device Manager (ASDM), or WebVPN ports of the affected system. A remote attacker could exploit this vulnerability by sending a malicious TCP packet to certain exposed services on an affected device.  When processed, the packet could cause the affected device to stop responding to further requests, resulting in a DoS condition.

Workarounds

• Administrators are advised to restrict remote Telnet, SSH, and ASDM network access from trusted hosts to affected devices.
• Filters that deny TCP ports 22, 23, 80, and 443 packets may be deployed throughout the network as part of a transit ACL (tACL) policy for protection of traffic which enters the network at ingress access point.

Additional information about tACLs is available at the following
http://www.cisco.com/en/US/tech/tk648/tk361/technologies
_white_paper09186a00801afc76.shtml

2. Crafted TLS Packet Vulnerability (CVE-2008-2056)

Cisco ASA and PIX use Transport Layer Security (TLS), a protocol based on cryptography for secure communication. The vulnerability exists due to an error in handling TLS packets when the HTTPS server is enabled. A remote attacker could exploit this vulnerability by sending a crafted TLS packet to a port on the affected system that is being used by an application that handles TLS packets. A successful attack could allow the attacker to cause the device in a DoS condition, resulting to crash.

This vulnerability affects software version 8.0.x and 8.1.x.

3. Instant Messenger Inspection Vulnerability (CVE-2008-2057)

The Cisco ASA and Cisco PIX Instant Messenger (IM) inspection engine is used to apply fine grained controls on the IM application usage within the network.

The vulnerability is due to errors in handling malformed network packets on devices using the Cisco PIX and Cisco ASA Instant Messenger inspection engine. A remote attacker could exploit this vulnerability by sending specially crafted Instant Messenger (IM) packets to the affected device.  While processing, these packets could cause an error rendering the device unavailable, resulting in a DoS condition. Only devices with the Instant Messenger Inspection option enabled are affected.

This vulnerability affects software versions 7.2.x, 8.0.x, and 8.1.x.

Workaround

• Disable IM inspection on the security appliance

4. Port Scan Denial of Service Vulnerability (CVE-2008-2058)  

The vulnerability exists because the security appliances do not properly respond to certain types of vulnerability port scans.  An attacker could exploit this vulnerability by running a malicious port scan over TCP port 443 with certain unspecified scanners against a vulnerable machine.  An exploit could cause the agent to reload, resulting in a DoS condition.

This vulnerability affects software versions 7.2.x and 8.0.x.

5. Control-plane Access Control List Vulnerability
    (CVE-2008-2059)

The vulnerability is due to an error in enforcing control-plane Access Control Lists (ACLs).  These ACLs may not function correctly after the initial configuration of the PIX and ASA software.  A remote attacker could exploit this lack of control-plane ACLs to send malicious traffic directly to the target device.

Solution

Apply appropriate fixed versions as mentioned in CISCO Security Advisory below.
http://www.cisco.com/warp/public/707/cisco-sa-20080604-asa.shtml

Vendor Information

Cisco
http://www.cisco.com/warp/public/707/cisco-sa-20080604-asa.shtml
http://tools.cisco.com/security/center/viewAlert.x?alertId=15973
http://tools.cisco.com/security/center/viewAlert.x?alertId=15972
http://tools.cisco.com/security/center/viewAlert.x?alertId=15976
http://tools.cisco.com/security/center/viewAlert.x?alertId=15978
http://tools.cisco.com/security/center/viewAlert.x?alertId=15980

References

Cisco PSIRT
http://www.cisco.com/en/US/products/products_security
_advisory09186a00809a8354.shtml

AusCERT
http://www.auscert.org.au/render.html?it=9398

SecurityTracker
http://securitytracker.com/alerts/2008/Jun/1020176.html
http://securitytracker.com/alerts/2008/Jun/1020179.html
http://securitytracker.com/alerts/2008/Jun/1020181.html
http://securitytracker.com/alerts/2008/Jun/1020183.html
http://securitytracker.com/alerts/2008/Jun/1020185.html

FrSIRT
http://www.frsirt.com/english/advisories/2008/1750

Secunia
http://secunia.com/advisories/30552/

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003