Cisco Security AdvisoryHigh
Advisory ID:
cisco-sa-20170208-asa
First Published:
2017 February 8 16:00 GMT
Last Updated:
2017 February 17 22:22 GMT
Version 1.2:
Workarounds:
Cisco Bug IDs:
CVSS Score:
Base 8.8
Click Icon to Copy Verbose Score
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Click Icon to Copy Verbose Score
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
-
A vulnerability in Common Internet Filesystem (CIFS) code in the Clientless SSL VPN functionality of Cisco ASA Software could allow an authenticated, remote attacker to cause a heap overflow.
The vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by sending a crafted URL to the affected system. An exploit could allow the remote attacker to cause a reload of the affected system or potentially execute code.
Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 or IPv6 traffic. A valid TCP connection is needed to perform the attack. The attacker needs to have valid credentials to log in to the Clientless SSL VPN portal.
Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-asa
-
Vulnerable Cisco ASA Software running on the following products may be affected by this vulnerability:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco ASA for Firepower 9300 Series
- Cisco ASA for Firepower 4100 Series
- Cisco ISA 3000 Industrial Security Appliance
Vulnerable Products
Cisco ASA Software is affected by this vulnerability if the Clientless SSL VPN portal is enabled. To determine whether the Clientless SSL VPN portal is enabled, the administrator can verify the following:
- webvpn is enabled on at least one interface.
- The group policy includes the ssl-clientless option configured in the vpn-tunnel-protocol command.
To determine whether the ssl-clientless option is configured in the vpn-tunnel-protocol command, use the show running-config group-policy <group policy name> attributes | include vpn-tunnel-protocol command. The following example shows a policy called Clientless with ssl-clientless option configured the vpn-tunnel-protocol command.ciscoasa# show running-config webvpn webvpn enable outside [...]
If the vpn-tunnel-protocol command options are not specified in the group policy, Cisco ASA inherits the options from the default group policy called DfltGrpPolicy. By default, the DfltGrpPolicy has the ssl-clientless option enabled.ciscoasa# show running-config group-policy Clientless attributes | include vpn-tunnel-protocol vpn-tunnel-protocol ssl-client ssl-clientless
Note: Cisco ASA configured with a Cisco AnyConnect Essential license is not affected by this vulnerability.
Determining the Running Software Version
To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can use the show version command. The following example shows the results of the show version command on an appliance running Cisco ASA Software version 9.2(1):
Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage devices can locate the software version in the table that appears in the login window or the upper-left corner of the Cisco ASDM window.ciscoasa# show version | include Version
Cisco Adaptive Security Appliance Software Version 9.2(1)
Device Manager Version 7.4(1)Products Confirmed Not Vulnerable
Cisco Firepower Threat Defense Software is not affected by this vulnerability.
No other Cisco products are currently known to be affected by this vulnerability.
-
It is possible to block the offending URL using a webtype access list, which can be performed using the following steps:
- Configure the webtype access list:
- Apply the access list in the group policy with the filter value <webtype acl name> command:
The second and third access-list will allow any other HTTPS and CIFS traffic. Administrator should review their configuration and adapt this access list based on their access policy.access-list bugCSCvc23838 webtype deny url https://*/+webvpn+/CIFS_R/*
access-list bugCSCvc23838 webtype permit url https://*
access-list bugCSCvc23838 webtype permit url cifs://*
group-policy Clientless attributes
webvpn
filter value bugCSCvc23838
-
In the following table, the left column lists major releases of Cisco ASA Software. The right column indicates whether a major release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability.
Cisco ASA Major Release First Fixed Release Prior to 9.01
Affected, migrate to 9.1(7.13) or later
9.01
Affected, migrate to 9.1(7.13) or later
9.1 9.1(7.13) or later
9.22
Affected, migrate to 9.4(4) or later
9.31
Affected, migrate to 9.4(4) or later
9.4 9.4(4) or later
9.52
Affected, migrate to 9.6(2.10) or later
9.6 9.6(2.10) or later
9.7 Not affected
1Cisco ASA Software releases prior to 9.1 and Cisco ASA release 9.3 have reached End of Software Maintenance. Customers should migrate to a supported release.
2A fixed for Cisco ASA Software releases 9.2 and 9.5 will be available in April 2017.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory.
Information about an exploit of this vulnerability has been published at the following link:
https://bugs.chromium.org/p/project-zero/issues/detail?id=998
-
This vulnerability was reported to Cisco by Oliver Chang, from Google Project Zero.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.2 Updated information about pubic announcement and workaround. Exploitation and Public Announcements and Workarounds Final 2017-February-17 1.1 Updated table in Fixed Software. Fixed Software Final 2017-February-08 1.0 Initial public release. — Final 2017-February-08
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.