Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities: DHCP Memory Allocation Denial of Service Vulnerability SSL VPN Authentication Denial of Service Vulnerability SIP Inspection Media Update Denial of Service Vulnerability DCERPC Inspection Buffer Overflow Vulnerability Two DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands. Cisco has released software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities.
These vulnerabilities are independent of each other; a release that is
affected by one of the vulnerabilities may not be affected by the
others.
Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands.
To determine whether the DHCP server feature is enabled on Cisco ASA Software use the show dhcpd state command and verify that at least one interface is configured for DHCP server. The following example shows the Cisco ASA Software with DHCP server enabled on the inside interface
ciscoasa# show dhcpd state Context Configured as DHCP Server Interface inside, Configured for DHCP SERVER
To determine whether the DHCP relay feature is enabled on Cisco ASA Software use the show dhcprelay state command and verify that DHCP relay is active. The following example shows the Cisco ASA Software with DHCP relay enabled.
ciscoasa# show dhcprelay state
Context Configured as DHCP Relay
Interface outside, Configured for DHCP RELAY SERVER
Interface inside, Configured for DHCP RELAY
Note: By default, DHCP server is enabled on the inside interface of the Cisco ASA 5505 and on the management interface of all other Cisco ASA 5500 Series Adaptive Security Appliances. DHCP server is disabled by default on Cisco Catalyst 6500 Series ASA Services Module.
DHCP relay feature is not enabled by default on any Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module platforms.
This vulnerability may affect Cisco ASA Software configured for Clientless or AnyConnect SSL VPN. Cisco ASA Software configured as an IPsec VPN Server, IPsec/L2TP VPN Server or IKEv2 AnyConnect VPN server is not affected. Because this vulnerability is triggered when receiving a crafted authentication challenge-response, Cisco ASA Software is not affected when configured to use the AAA protocol that does not support the challenge option or with the challenge option disabled.
To be affected, the Cisco ASA Software should have SSL VPN enabled and the
tunnel group configured to authenticate to a remote AAA server using a
AAA protocol that has the AAA challenge option enabled.
Currently the following AAA setup may be configured with the challenge option enabled and hence be considered vulnerable:
To determine whether Cisco ASA Software has SSL VPN enabled use the show running-config webvpn command and verify that SSL VPN is enabled on at least one interface. The following example shows the Cisco ASA Software with SSL VPN enabled on the outside interface:
ciscoasa# show running-config webvpn webvpn enable outside
To determine whether the Cisco ASA Software has the tunnel group configured for
a remote AAA server, use the show running-config tunnel-group
ciscoasa#show running-config tunnel-group WebVPN general-attributes tunnel-group WebVPN general-attributes authentication-server-group RSA
To determine which AAA protocol is in use for a given AAA server, use the show aaa-server
ciscoasa# show aaa-server RSA
Server Group: RSA
Server Protocol: sdi
Note: SSL VPN is not enabled by default. The default AAA setting for tunnel group is LOCAL which is not affected by this vulnerability.
ciscoasa# show service-policy | include sip
Inspect: sip , packet 67, drop 0, reset-drop 0
Note: SIP inspection functionality is enabled by default.
ciscoasa# show service-policy | include dcerpc
Inspect: dcerpc, packet 0, drop 0, reset-drop 0
Note: DCERPC inspection is not enabled by default.
To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the show version command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.4(1):
ciscoasa#show version | include Version
Cisco Adaptive Security Appliance Software Version 8.4(1)
Device Manager Version 6.4(1)
Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window.
DHCP is a protocol that supplies automatic configuration parameters such as an IP address with a subnet mask, default gateway, DNS server, and WINS server IP address to hosts.
The Cisco ASA Software can act as a DHCP server or a DHCP client. When it operates as a server, the Cisco ASA Software provides network configuration parameters directly to DHCP clients.
A vulnerability exists in the implementation of the Dynamic Host Configuration Protocol (DHCP) Server functionality that would allow an unauthenticated, remote attacker to trigger a reload of the affected device. This vulnerability is due to a failure in allocating memory for an internal DHCP data structure upon receiving crafted DHCP packets. An attacker could exploit this vulnerability by sending a sequence of crafted DHCP packets to the affected system
Note: This vulnerability may be triggered by both transit traffic and traffic directed to the affected device. This vulnerability affects both routed and transparent firewall modes in both single-context and multicontext modes. This vulnerability can be triggered only by IPv4 traffic.
This vulnerability affects a Cisco ASA Software configured for Clientless or AnyConnect SSL VPN. Cisco ASA Software configured as an IPsec VPN Server, IPSEC/L2TP VPN Server or IKEv2 AnyConnect server is not affected.
Note: Only traffic destined to the affected device can be used to exploit this vulnerability. This vulnerability affects only Cisco ASA Software configured in routed and single context mode. This vulnerability can be triggered by IPv4 traffic only.Session Initiation Protocol (SIP) as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences. SIP works with Session Description Protocol (SDP) for call signaling. SDP specifies the ports for the media stream. Cisco ASA Software supports dynamic allocation of ports for media stream via a dedicated SIP inspection engine.
A vulnerability exists in the SIP inspection engine code of the Cisco ASA Software, that
may allow an unauthenticated, remote attacker to trigger a reload of
the affected device. This vulnerability is due to improper processing
of SIP media update packets. An attacker could exploit this vulnerability by sending a crafted SIP packet through the affected system. The
packets that trigger this vulnerability must be part of an established
SIP inspection session that needs to be inspected by the affected system.
Note: Only transit traffic can be used to exploit this vulnerability. This
vulnerability affects both routed and transparent firewall mode in both
single and multi-context mode. This vulnerability can be triggered by
IPv4 and IPv6 traffic.
The following section contains information about a workaround, if available, for each vulnerability described in this security advisory.
DHCP Memory Allocation Denial of Service Vulnerability
Besides disabling the DHCP server and DHCP relay features, there are no workarounds that mitigate this vulnerability.
SSL VPN Authentication Denial of Service Vulnerability
There are no workarounds that mitigate this vulnerability.
SIP Inspection Media Update Denial of Service Vulnerability
Disabling SIP inspection will mitigate this vulnerability.
The following commands will disable the SIP inspection that is configured by default:
ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# no inspect sip
DCERPC Inspection Buffer Overflow Vulnerability and DCERPC Inspection Denial Of Service Vulnerabilities
Besides disabling the DCERPC inspection, there are no workarounds that mitigate these vulnerabilities.
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Vulnerability | Major Release |
First Fixed Release |
DHCP Memory Allocation Denial of Service Vulnerability - CSCtw84068 |
7.0 | 7.2(5.8) |
7.1 | 7.2(5.8) |
|
7.2 | 7.2(5.8) |
|
8.0 | 8.0(5.28) |
|
8.1 | 8.1(2.56) |
|
8.2 | 8.2(5.27) | |
8.3 | 8.3(2.31) | |
8.4 | 8.4(3.10) | |
8.5 | 8.5(1.9) |
|
8.6 | 8.6(1.5) |
Vulnerability | Major Release |
First Fixed Release |
SSL VPN Authentication Denial of Service Vulnerability - CSCtz04566 |
7.0 | Not Affected |
7.1 | Not Affected |
|
7.2 | Not Affected |
|
8.0 | Not Affected |
|
8.1 | Not Affected |
|
8.2 | 8.2(5.30) | |
8.3 | 8.3(2.34) |
|
8.4 | Not Affected | |
8.5 | Not Affected | |
8.6 | Not Affected |
Vulnerability | Major Release |
First Fixed Release |
SIP Inspection Media Update Denial of Service Vulnerability - CSCtr63728 |
7.0 | Not Affected |
7.1 | Not Affected |
|
7.2 | Not Affected |
|
8.0 | Not Affected |
|
8.1 | Not Affected | |
8.2 | 8.2(5.17) | |
8.3 | 8.3(2.28) | |
8.4 | 8.4(2.13) | |
8.5 | 8.5(1.4) | |
8.6 | 8.6(1.5) |
Vulnerability | Major Release |
First Fixed Release |
DCERPC Inspection Buffer Overflow Vulnerability -
CSCtr21359
|
7.0 | Not Affected |
7.1 | Not Affected |
|
7.2 | Not Affected | |
8.0 | Not Affected | |
8.1 | Not Affected | |
8.2 | Not Affected | |
8.3 | 8.3(2.34) | |
8.4 | 8.4(4.4) | |
8.5 | 8.5(1.13) | |
8.6 | 8.6(1.3) |
Vulnerability | Major Release |
First Fixed Release |
DCERPC Inspection Denial Of Service Vulnerabilities - CSCtr21376
and CSCtr21346 |
7.0 | Not Affected |
7.1 | Not Affected |
|
7.2 | Not Affected | |
8.0 | Not Affected | |
8.1 | Not Affected | |
8.2 | Not Affected | |
8.3 | 8.3(2.25) | |
8.4 | 8.4(2.5) | |
8.5 | 8.5(1.13) | |
8.6 | Not Affected |
The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases.
Major Release |
Recommended Release |
7.0 | 7.2(5.8) |
7.1 | 7.2(5.8) |
7.2 | 7.2(5.8) |
8.0 | 8.0(5.28) |
8.1 | 8.1(2.56) |
8.2 | 8.2(5.33) |
8.3 | 8.3(2.34) |
8.4 | 8.4(4.5) |
8.5 | 8.5(1.14) |
8.6 | 8.6(1.5) |
For Cisco ASA 5500 Series Adaptive Security Appliances, navigate to Products
> Security > Firewalls > Adaptive Security Appliances (ASA) > Cisco ASA
5500 Series Adaptive Security Appliances >
For Cisco Catalyst 6500 Series ASA Services Module, navigate to Products > Cisco Interfaces and Modules > Cisco Services Modules >Cisco Catalyst 6500 Series ASA Services Module > ASA Services Module (ASASM) Software. Please note that some of these versions are interim versions and they can be found by expanding the Interim tab on the download page.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
All the vulnerabilities described in this security advisory were found during internal testing or discovered during the resolution of customer support cases.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.0 | 2012-October-10 | Initial public release |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.