CERT-In Advisory CIAD-2008-56
Multiple Vulnerabilities in Cisco ASA and PIX IPv6
Original issue date:
November 03, 2008
Severity Rating: High
Systems Affected
- Cisco PIX or Cisco ASA prior to 7.0(8)3
- Cisco PIX or Cisco ASA prior to 7.1(2)78
- Cisco PIX or Cisco ASA prior to 7.2(4)15
- Cisco PIX or Cisco ASA prior to 8.0(4)6
- Cisco PIX or Cisco ASA prior to 8.1(1)13
Cisco PIX or ASA devices running PIX and ASA software versions 7.2(4)9 or 7.2(4)10 are vulnerable when configured for IPv6.
Cisco ASA devices running ASA software versions prior to 8.0(4) and prior to 8.1(2) are vulnerable.
Overview
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. These vulnerabilities may allow an attacker to bypass authentication mechanisms or cause a denial-of-service condition.
Description
1. Windows NT Domain Authentication Bypass Vulnerability
(CVE-2008-3815)
The vulnerability is due to an error that may occur when the Cisco ASA or PIX device is configured for IPSec or SSL-based VPN access using Microsoft Windows NT Domain authentication. An unauthenticated, remote attacker could exploit the vulnerability to bypass authentication requirements and gain access to internal protected networks.
2. IPv6 Denial of Service Vulnerability (CVE-2008-3816)
This vulnerability is due to an error when processing malicious packets. Devices running affected versions of PIX or ASA software and configured for IPv6 are at risk. An exploit may occur as the result of processing a malicious packet that could cause the device to fail and automatically restart.
An unauthenticated, remote attacker could exploit the vulnerability by creating and sending a malicious packet to the affected device, resulting in a Denial of Service condition. A stream of packets could cause a device to repeatedly restart, resulting in a persistent Denial of Service condition.
3. Crypto Accelerator Memory Leak Vulnerability
(CVE-2008-3817)
The vulnerability exists in the hardware crypto accelerator initialization code when processing maliciously crafted packets. An unauthenticated, remote attacker could exploit the vulnerability by sending a crafted packet to an affected device that is using the crypto accelerator. When processed, a crafted packet could cause the device to reload. Repeated exploits could result in a persistent Denial of Service condition.
Workarounds
- Restrict network access to affected devices.
- Disable access to affected services outside the corporate firewall unless needed for a business purpose, such as to make VPN access available.
- Disable the IPv6 protocol if it is not required using the command no ipv6 address.
- Configure VPN access using a method other than Windows NT Domain authentication.
- Monitor critical systems for device failures that may indicate exploitation.
Solution Apply appropriate fixed versions as mentioned in CISCO Security Advisory.
http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml
Vendor Information
CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml
References
CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml
SecurityFocus
http://www.securityfocus.com/bid/31864
http://www.securityfocus.com/bid/31863
http://www.securityfocus.com/bid/31865
CVE Name
CVE-2008-3815
CVE-2008-3816
CVE-2008-3817
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
