Cisco Firewall Services Module (FWSM) Software for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is affected by the following vulnerabilities: Cisco FWSM Command Authorization Vulnerability SQL*Net Inspection Engine Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the other. Successful exploitation of the Cisco FWSM Command Authorization Vulnerability may result in a complete compromise of the confidentiality, integrity and availability of the affected system. Successful exploitation of the SQL*Net Inspection Engine Denial of Service Vulnerability may result in a reload of an affected device, leading to a denial of service (DoS) condition. Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-fwsm Note: The Cisco Adaptive Security Appliance (ASA) may be affected by the SQL*Net Inspection Engine Denial of Service Vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco ASA. That advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa
Note: Multiple context mode is not enabled by default. However, when it is enabled and at least one user context is configured, the system is vulnerable. Cisco FWSM Software releases prior to 3.1(8) and 3.2(4) are not affected by this vulnerability.ciscofwsm# show mode
Security context mode: multiple
Note: SQL*Net inspection is enabled by default.ciscofwsm# show service-policy | include sqlnet Inspect: Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the Cisco ASDM window. The version notation is similar to the following example:FWSM> show version FWSM Firewall Version 4.0(16) [...]
Version information can also be obtained from the Cisco Catalyst 6500 Series Switch or the Cisco 7600 Series Router. To determine the version of Cisco FWSM Software that is running on a device, issue the show module command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and submodules are installed on the system.FWSM Version: 4.0(16)
After locating the correct slot, issue the show moduleswitch>show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06334NS9 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 3 8 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z 4 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD 5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.7(0.22)BUB Ok 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok 3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 7.0(4)E4 Ok 4 0014.a90c.66e6 to 0014.a90c.66ed 1.7 Unknown Unknown PwrDown 5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(33)SXH8 Ok [...]
The preceding example shows that the Cisco FWSM is running software version 4.0(16) as indicated by the Sw column.switch>show module 2 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok [...]
ciscofwsm(config)# policy-map global_policy ciscofwsm(config-pmap)# class inspection_default ciscofwsm(config-pmap-c)# no inspect sqlnet
3.1 |
3.2 |
4.0 |
4.1 |
|
CSCue46080 - Cisco FWSM Command Authorization Vulnerability | Migrate to 3.2.x or later1 |
3.2(25)1 | Migrate to 4.1.(14) or later |
4.1(13) |
CSCui34914 - SQL*Net Inspection Engine Denial of Service Vulnerability |
Migrate to 3.2.x or later | 3.2(27) | Migrate to 4.1(14) or later |
4.1(14) |
Recommended releases that fix all the vulnerabilities in this advisory |
Migrate to 3.2.x or later | 3.2(27) | Migrate to 4.1(14) or later | 4.1(14) |
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.0 | 2013-October-09 | Initial public release. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.