AV:A/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
-
Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
- Cisco ASA Failover Command Injection Vulnerability
- Cisco ASA DNS Memory Exhaustion Vulnerability
- Cisco ASA VPN XML Parser Denial of Service Vulnerability
Successful exploitation of the Cisco ASA DNS Memory Exhaustion Vulnerability may result in system instability and dropped traffic.
Successful exploitation of the Cisco ASA VPN XML Parser Denial of Service Vulnerability may result in a crash of the WebVPN process, which may lead to the reset of all SSL VPN connections, system instability, and a reload of the affected system.
Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for the Cisco ASA Failover Command Injection Vulnerability and Cisco ASA DNS Memory Exhaustion Vulnerability. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa
Note: The resolution of the vulnerability in the Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability, cisco-sa-20150408-cxfp, released on the 8th of April may require an upgrade of the Cisco ASA Software release. Cisco ASA customers should review cisco-sa-20150408-cxfp before deciding which Cisco ASA Software release to upgrade to.
The Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp
-
Cisco ASA Software running on the following products is affected by multiple vulnerabilities:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
Vulnerable Products
Cisco ASA Failover Command Injection Vulnerability
Cisco ASA Software is affected by this vulnerability if the system is configured in high availability mode (also known as failover mode) and the failover ipsec feature is configured to protect failover communications.
To determine whether Cisco ASA Software is configured for failover, use the show failover command and verify that the failover is set to ON The following example shows a Cisco ASA with failover mode enabled:ciscoasa# show failover Failover On [...]
The following example shows a Cisco ASA with the failover ipsec feature enabled:
ciscoasa# show running-config failover | include ipsec
failover ipsec pre-shared-key *****
Note: Cisco ASA configurations using the failover key command are not affected by this vulnerability. The failover ipsec feature is not enabled by default.
Cisco ASA DNS Memory Exhaustion Vulnerability
Cisco ASA Software is affected by this vulnerability if at least one DNS server IP address is configured under a DNS server group. This can be configured either as part of the configuration of the default DNS server group (DefaultDNS) or configured under a user-defined DNS server group.
To determine whether a DNS server IP address is configured, use the show running-config dns server-group command and verify that the name-server parameter includes an IP address.
The following example shows a Cisco ASA configured with a DNS server IP 192.168.1.1 as part of the DefaultDNS server group.
ciscoasa# show running-config dns server-group
DNS server-group DefaultDNS
name-server 192.168.1.1
Note: The DNS name-server value is not configured by default in any DNS server group.
Cisco ASA VPN XML Parser Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if the system is configured for AnyConnect SSL VPN, Clientless SSL VPN, or AnyConnect IKEv2 VPN. Cisco ASA Software configured for any other type of VPN is not affected by this vulnerability.
To determine whether the system is configured for AnyConnect or Clientless SSL VPN, use the show running-config webvpn command and verify that webvpn is enabled on at least one interface. The following example shows a Cisco ASA with SSL VPN enabled on the outside interface:ciscoasa# show running-config webvpn webvpn enable outside [...]
ciscoasa# show running-config crypto ikev2 | include enable crypto ikev2 enable outside client-services port 443
Determining the Running Software Version
To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the show version command. The following example shows a appliance running Cisco ASA Software version 9.2(1):ciscoasa#show version | include Version
Cisco Adaptive Security Appliance Software Version 9.2(1)
Device Manager Version 7.4(1)Products Confirmed Not Vulnerable
Cisco ASA FirePOWER Services and Cisco ASA Context-Aware (CX) Services are not affected by this vulnerability.
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Cisco Adaptive Security Appliance (ASA) Software is the operating system used by the Cisco ASA 5500 Series Adaptive Security Appliances, the Cisco ASA 5500-X Next Generation Firewall, the Cisco ASA Services Module (ASASM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, the Cisco ASA 1000V Cloud Firewall, and the Cisco Adaptive Security Virtual Appliance (ASAv). The Cisco ASA family provides network security services such as firewall, intrusion prevention system (IPS), anti-X, and VPN.
Cisco ASA Failover Command Injection Vulnerability
A vulnerability in the failover ipsec feature of Cisco ASA Software could allow an unauthenticated, adjacent attacker to submit configuration commands to any of the failover units via the failover interface. As a result, an attacker could be able to take full control of both the active and standby failover units.
The vulnerability is due to improper handling of secured failover communication messages when the failover ipsec feature is configured. An attacker could exploit this vulnerability by sending crafted UDP packets directed to the failover interface IP address. An attacker needs IP connectivity to the failover interface IP addresses to exploit this vulnerability.
Note: Only UDP packets directed to the failover interface IP address of the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed or transparent firewall mode and in single or multiple context mode. This vulnerability can be triggered by IP version 4 (IPv4) and IP version 6 (IPv6) traffic.
This vulnerability is documented in Cisco bug ID CSCur21069 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2015-0675
Cisco ASA DNS Memory Exhaustion Vulnerability
A vulnerability in the DNS code of the Cisco ASA Software could allow an unauthenticated, remote attacker to exhaust available memory, which could lead to system instability and the inability to process or forward traffic.
The vulnerability is due to improper processing of DNS packets. An attacker could exploit this vulnerability by sending a request to an affected Cisco ASA appliance, which can cause it to generate a DNS request packet. The attacker would need to be able to intercept this request and reply with a crafted DNS reply packet.
Note: Only traffic directed to the affected device can be used to exploit this vulnerability. This vulnerability affects Cisco ASA Software configured in routed and transparent firewall mode and single and multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic.
This vulnerability is documented in Cisco bug ID CSCuq77655 (registered customers only) and has been assigned CVE ID CVE-2015-0676
Cisco ASA VPN XML Parser Denial of Service Vulnerability
A vulnerability in the XML parser of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a crash of the WebVPN component that could lead to the reset of all SSL VPN connections, system instability, and a reload of the affected system.
The vulnerability is due to insufficient hardening of the XML parser configuration. An attacker could exploit this vulnerability by sending a crafted XML message to the affected system. This vulnerability affects Cisco ASA appliances configured for Clientless or AnyConnect SSL VPN and AnyConnect IKEv2 VPN. All other VPN configurations are unaffected by this vulnerability.
Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects only systems configured in routed firewall mode and in single context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic.
This vulnerability is documented in Cisco bug ID CSCus95290 (registered customers only) and has been assigned CVE ID CVE-2015-0677
-
For the Cisco ASA Failover Command Injection Vulnerability, configuring failover protection via the failover key feature and removing the failover ipsec feature provides a workaround for this issue. To configure a failover key, use the failover key <key> command. The following example shows how to remove the failover ipsec feature and configure the failover key feature with a key value cisco-key:
ciscoasa(config)#no failover ipsec pre-shared-key ciscoasa(config)#failover key cisco-key
The following example shows how to set the retries setting to 0 for the default DNS server-group (DefaultDNS)
ciscoasa(config-dns-server-group)# DNS server-group DefaultDNS ciscoasa(config-dns-server-group)# retries 0
There is no workaround for the Cisco ASA VPN XML Parser Denial of Service Vulnerability.
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Each row of the following Cisco ASA Software table lists the first fixed release for each of the vulnerabilities described in this advisory for each Cisco ASA major release. The last row of the table gives information about the release version that includes the fix for all the vulnerabilities described in this advisory for each Cisco ASA major release. Customers should upgrade to a release that is equal to, or later than these release versions.
7.2
8.2
8.3
8.4
8.5
8.6
8.7
9.0
9.1
9.2
9.3 9.4
CSCur21069 - Cisco ASA Failover Command Injection Vulnerability Not Affected
Not Affected
Not Affected
Not Affected
Not Affected
Not Affected
Not Affected
Not Affected
9.1(6) 9.2(3.3) 9.3(3)2 Not Affected CSCuq77655 - Cisco ASA DNS Memory Exhaustion Vulnerability 7.2(5.16)2 8.2(5.57) 8.3(2.44) 8.4(7.28) 8.5(1.24) 8.6(1.17) 8.7(1.16) 9.0(4.33) 9.1(6.1)
9.2(3.4)
9.3(3)2
Not Affected
CSCus95290 - Cisco ASA VPN XML Parser Denial of Service Vulnerability Not Affected
Not Affected Not Affected 8.4(7.28) Not Affected
8.6(1.17) Not Affected
9.0(4.33) 9.1(6) 9.2(3.4) 9.3(3)2 Not Affected Recommended release that fixes all the vulnerabilities in this security advisory1 7.2(5.16)2 and later 8.2(5.57) and later 8.3(2.44) and later
8.4(7.28) and later 8.5(1.24) and later 8.6(1.17) and later 8.7(1.16) and later 9.0(4.33) and later 9.1(6.1) and later 9.2(3.4) and later 9.3(3)2 and later
Not Affected
1The resolution of the vulnerability in the Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability, cisco-sa-20150408-cxfp, released on the 8th of April may require an upgrade of the Cisco ASA Software release. Cisco ASA customers should review cisco-sa-20150408-cxfp before deciding which Cisco ASA Software release to upgrade to.
The Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp
2Cisco ASA releases 7.2(5.16) and 9.3(3) will be available by the 15th of April.
Software Download
Cisco ASA Software can be downloaded from the Software Center on Cisco.com by visiting http://www.cisco.com/cisco/software/navigator.html
For Cisco ASA 5500 Series Adaptive Security Appliances and Cisco ASA 5500-X Next Generation Firewall navigate to Products > Security > Firewalls > Adaptive Security Appliances (ASA) > Cisco ASA 5500 Series Adaptive Security Appliances > <your Cisco ASA model> > Adaptive Security Appliance (ASA) Software. Please note that some of these versions are interim versions and can be found by expanding the Interim tab on the download page.
For the Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, navigate to Products > Cisco Interfaces and Modules > Cisco Services Modules > Cisco Catalyst 6500 Series / 7600 Series ASA Services Module > Adaptive Security Appliance (ASA) Software. Please note that some of these versions are interim versions and can be found by expanding the Interim tab on the download page.
For the Cisco ASA 1000V Cloud Firewall, navigate to Products > Security > Firewalls > Adaptive Security Appliances (ASA) > Cisco ASA 1000V Cloud Firewall > Adaptive Security Appliance (ASA) Software.
For the Cisco Adaptive Security Virtual Appliance (ASAv), navigate to Products > Security > Firewalls > Adaptive Security Appliances (ASA) > Cisco Adaptive Security Virtual Appliance (ASAv) > Adaptive Security Appliance (ASA) Software.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
The Cisco ASA Failover Command Injection Vulnerability was reported to Cisco by Alec Stuart-Muirk.
The Cisco ASA DNS Memory Exhaustion Vulnerability was discovered during the resolution of support cases.
The Cisco ASA VPN XML Parser Denial of Service Vulnerability was reported to Cisco by Oldrich Valka from AEC.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0 2015-April-08 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.