A vulnerability in Cisco Adaptive Security Appliance (ASA) Software for the Cisco ASA 1000V Cloud Firewall may cause the Cisco ASA 1000V to reload after processing a malformed H.323 message. Cisco ASA 1000V Cloud Firewall is affected when H.323 inspection is enabled. Cisco has released software updates that address this vulnerability. This advisory is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130116-asa1000v Note: Only Cisco ASA Software for the Cisco ASA 1000V Cloud Firewall is affected by the vulnerability described in this advisory. Cisco ASA 5500 Series Adaptive Security Appliances, Cisco Catalyst 6500 Series ASA Services Module or Cisco Catalyst 6500 Series Firewall Services Module (FWSM) are not affected by this vulnerability.
Note: The preceding output identifies a policy map with a class map that has H.323 inspection for H.225 messages applied.ASA1000v# show service-policy inspect h423 h425 Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: h423 h425 _default_h423_map, packet 0, lock fail 0, drop 0, reset-drop 0 tcp-proxy: bytes in buffer 0, bytes dropped 0 h445-tunnel-block drops 0 connection
Note: Global application is shown in the preceding example, but the service policy could also be applied to a specific interfaceclass-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect h423 h425 ... ! service-policy global_policy global
The following example shows a system that is running an affected software version (8.7.1):
ASA1000v(config)# show version
Cisco Adaptive Security Appliance Software Version 8.7(1)
Device Manager Version 6.3(5)
Alternatively, version information can be obtained from the Summary tab of the Cisco ASA 1000V Cloud Firewall resource in the VMware vCenter Server.
Additional dynamic UDP and TCP ports may be negotiated during the H.323 call signaling setup procedure.1718-Gatekeeper Discovery UDP port
1719-RAS UDP port
1720-TCP control port
If H.323 inspection for H.225 messages is required, there are no workarounds.
ASA1000v(config)# policy-map global_policy ASA1000v(config-pmap)# class inspection_default ASA1000v(config-pmap-c)# no inspect h423 h425
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
This vulnerability was found during internal testing.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.0 | 2013-January-16 | Initial public release. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.